noob here.
Creating a PWA React app using create-react-app and running into the CSP issue regarding default set to none and no img setting to override it.
Have searched for and tried many, many helpful answers for this exact problem but have not hit upon the one that will work for my app.
Maybe I just need a second pair of eyes?
The error is:
Cannot GET /
The console tells me this:
Failed to load resource: the server responded with a status of 404 (Not Found)
localhost/:1 Refused to load the image 'http://localhost:3002/favicon.ico' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
localhost/:1 Failed to load resource: the server responded with a status of 404 (Not Found)
Screenshot of server.js where I tried to implement express-csp-header:
server.js
Screenshot of index.html to show the added images and that there is no meta tag for CSP:
index.html
I have tried adding the tag as advised elsewhere.
I tried every other suggestion from stackoverflow that I could find.
Please advise.
----EDIT--- I guess what I need to know is how to override the CSP that comes with webpack as part of Create-React-App because the console error message says that 'img src' is NOT defined so it defaulted to "default src", which is set to 'none'. I believed I have installed express-csp-header correctly and have 'img src' set correctly, why doesn't the browser find that?
----Another EDIT--- Here all this time I was thinking that webpack must be where the browser is getting the "default-scr: NONE" referred to in the error message. I just searched all of the files in react-script, which is where webpack config files live, and don't find any occurance of "default-scr: NONE". Is it an Express setting? Why am I dealing with CSP with this CRA app and not the other dozen I created the same way? Pulling my hair out.
Maybe I just need a second pair of eyes?
Yeah, it is difficult to find a black cat in a dark room, especially if it is not there.
Refused to load the image 'http://localhost:3002/favicon.ico' because
it violates the following Content Security Policy directive:
"default-src 'none'". Note that 'img-src' was not explicitly set, so
'default-src' is used as a fallback.
This is a great example of a misleading diagnostic message. Your issue have nothing to do with Content Security Policy (CSP).
Just place favicon.ico file into %PUBLIC_URL% folder and add into <head> section:
<link rel="icon" type="image/x-icon" href="%PUBLIC_URL%/favicon.ico">
All nitty-gritty is here. Briefly - browser by default tries to get favicon from the root of website, since you do not set right <link rel="icon" tag. There is no favicon there, so 404 Not Found occurs (anyway Express do not serve root folder by default).
Your CSP is published on "200 OK pages" only, so Express by default uses its own default-src 'none' for nonexistent pages (with status codes 404/403/500/etc).
This can really be confusing to anyone.
PS: Quite possible that the presence of %PUBLIC_URL% means you do not set PUBLIC_URL / homepage properly, because it should be substituted by a real folder/path. I just use your notation in the <link rel="icon" tag above.
PPS: I think if you add a custom error pages handler, it help to avoid similar misleading diag (code example you can take here).
UPDATE:
Cannot GET /
means webpack dos not know what page to show - defServer{...} output{...} sections misconfigured or wrong router(). Therefore you get 404 Not Found page.
You could to look in the Developer tools is the Status Code 404/200 and which Content-Security-Policy HTTP header you have really got (here is a tutorial).
In case of 404 Not Found, webpack shows built-in default error page (since you do not created your own). This error page is served with default webpack's CSP, not yours (your CSP will be published on pages with 200 OK status code only).
I just searched all of the files in react-script, which is where
webpack config files live, and don't find any occurance of
"default-scr: NONE"
AFAIK, webpack-dev-server uses a finalhandler which rejects /favicons on 404 pages exactly with the same issue you have. In this way default-src: 'none' should be in node_modules/finalhandler/index.js.
Why am I dealing with CSP with this CRA app and not the other dozen I
created the same way?
Previously finalhandler has default-src 'self' so /faficons was not blocks by CSP. But after this thread: default-src should be 'none' in finalhandler at May 2019 - things changed.
I guess you issue is not CSP related, it's just have misconfigured defServer{...} or output{...} (some path: __dirname + 'public/' or publicPath: points to a wrong dir).
CSP error is only a symptom (bad thing it's a false symptom) of the disease, but we need to treat a cause but not symptoms.
PS: I think instead of %PUBLIC_URL%/favicon.ico it should be http://localhost/favicon.ico in HTML, it's something misconfigured here too.
My problem is Crawl in Google Search Console can't found sub-routes in React.
The URL is https://huynhsamha.github.io/crypto, and crawler can fetch and render homepage (route /) and static files such as /robots.txt, /favicon.ico, but it can't found the sub-routes, which are rendered by React, (SPA, using Redux), such as /algorithm/sha256. Example, https://huynhsamha.github.io/crypto/algorithm/sha256 can't found by Crawler but it can be accessible.
This is my screenshot in Google Search Console I've tried.
Who can explain why and how to fix my problem? I'm using react-router-dom with react-redux My repository on github here
Edit 1
I've also tried the answer https://stackoverflow.com/a/53966338/8828489 in this question, but not working. I've added script in index.html (https://github.com/huynhsamha/crypto/blob/gh-pages/index.html), but search console can't still found, so it also can't render any error on screen.
Edit 2
I've also tried the answers https://stackoverflow.com/a/54040745/8828489 and https://stackoverflow.com/a/54048119/8828489 in this question, but not working. I've created 404.html file and add scripts as the answer instructs but it didn't also work.
Edit 3
I've also tried the answer https://stackoverflow.com/a/54044148/8828489 in this question by creating a simple sitemap.xml, googlebot can find this file and discover all URLs I defined in sitemap. But it also cannot fetch and render URLs mentioned.
I found that when i opened https://huynhsamha.github.io/crypto/algorithm/sha256, I actually received a 404 as a response. I think your workaround for hosting SPA on GitHub using the 404.html is the issue here. While us humans see your app being served on our browser correctly, googlebot doesn't care and just look at the response code and see that it has received a 404. You'll need a different workaround that doesn't involves using the 404.html as the entry point to your app directly.
Try following this workaround by rafrex instead, it redirects the browser to index.html using the 404.html while keeping the original route, it claims that googlebot register that as a 301 instead of a 404, for your case that means adding these changes below to your site, pay attention to the script below the <!-- ------Single Page Apps GitHub Pages Workaround------ -->:
<!-- 404.html -->
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Cryptography</title>
<!-- ------Single Page Apps GitHub Pages Workaround------ -->
<script type="text/javascript">
// Single Page Apps for GitHub Pages
// https://github.com/rafrex/spa-github-pages
// Copyright (c) 2016 Rafael Pedicini, licensed under the MIT License
// ----------------------------------------------------------------------
// This script takes the current url and converts the path and query
// string into just a query string, and then redirects the browser
// to the new url with only a query string and hash fragment,
// e.g. http://www.foo.tld/one/two?a=b&c=d#qwe, becomes
// http://www.foo.tld/?p=/one/two&q=a=b~and~c=d#qwe
// Note: this 404.html file must be at least 512 bytes for it to work
// with Internet Explorer (it is currently > 512 bytes)
// If you're creating a Project Pages site and NOT using a custom domain,
// then set segmentCount to 1 (enterprise users may need to set it to > 1).
// This way the code will only replace the route part of the path, and not
// the real directory in which the app resides, for example:
// https://username.github.io/repo-name/one/two?a=b&c=d#qwe becomes
// https://username.github.io/repo-name/?p=/one/two&q=a=b~and~c=d#qwe
// Otherwise, leave segmentCount as 0.
var segmentCount = 1;
var l = window.location;
l.replace(
l.protocol + '//' + l.hostname + (l.port ? ':' + l.port : '') +
l.pathname.split('/').slice(0, 1 + segmentCount).join('/') + '/?p=/' +
l.pathname.slice(1).split('/').slice(segmentCount).join('/').replace(/&/g, '~and~') +
(l.search ? '&q=' + l.search.slice(1).replace(/&/g, '~and~') : '') +
l.hash
);
</script>
</head>
<body>
</body>
</html>
<!-- index.html -->
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="theme-color" content="#000000">
<meta name="description" content="Cryptography Algorithms: Secure Hash Algorithm (sha256, sha512, ...), Message Digest Algorithm (md5, ripemd160), HMAC-SHA, HMAC-MD, pbkdf2, Advanced Encryption Standard (AES), Triple Data Encryption Standard, (TripleDES, DES), RC4, Rabbit, ...">
<meta name="keywords" content="crypto, algorithms, secure hash, sha, sha512, sha256, message digest, md5, hmac-sha, aes, des, tripledes, pbkdf2, rc4, rabbit, encryption, descryption">
<meta name="author" content="huynhsamha">
<!-- Open Graph -->
<meta property="fb:app_id" content="440168923127908">
<meta property="og:url" content="https://huynhsamha.github.io/crypto">
<meta property="og:title" content="Cryptography Algorithms">
<meta property="og:description" content="Cryptography Algorithms: Secure Hash Algorithm (sha256, sha512, ...), Message Digest Algorithm (md5, ripemd160), HMAC-SHA, HMAC-MD, pbkdf2, Advanced Encryption Standard (AES), Triple Data Encryption Standard, (TripleDES, DES), RC4, Rabbit, ...">
<meta property="og:type" content="website">
<meta property="og:image" content="%PUBLIC_URL%/img/main.jpeg">
<meta property="og:site_name" content="Cryptography">
<meta property="og:locale" content="vi_VN">
<!-- Twitter Card -->
<meta name="twitter:card" content="summary">
<meta name="twitter:site" content="#huynhsamha">
<meta name="twitter:creator" content="#huynhsamha">
<meta name="twitter:url" content="https://huynhsamha.github.io/crypto">
<meta name="twitter:title" content="Cryptography Algorithms">
<meta name="twitter:description" content="Cryptography Algorithms: Secure Hash Algorithm (sha256, sha512, ...), Message Digest Algorithm (md5, ripemd160), HMAC-SHA, HMAC-MD, pbkdf2, Advanced Encryption Standard (AES), Triple Data Encryption Standard, (TripleDES, DES), RC4, Rabbit, ...">
<meta name="twitter:image:src" content="%PUBLIC_URL%/img/main.jpeg">
<!--
manifest.json provides metadata used when your web app is added to the
homescreen on Android. See https://developers.google.com/web/fundamentals/engage-and-retain/web-app-manifest/
-->
<link rel="manifest" href="%PUBLIC_URL%/manifest.json">
<link rel="shortcut icon" href="%PUBLIC_URL%/favicon.ico">
<link rel="author" href="//github.com/huynhsamha">
<link rel="canonical" href="//huynhsamha.github.io/crypto">
<!--
Notice the use of %PUBLIC_URL% in the tags above.
It will be replaced with the URL of the `public` folder during the build.
Only files inside the `public` folder can be referenced from the HTML.
Unlike "/favicon.ico" or "favicon.ico", "%PUBLIC_URL%/favicon.ico" will
work correctly both with client-side routing and a non-root public URL.
Learn how to configure a non-root public URL by running `npm run build`.
-->
<link href="//fonts.googleapis.com/css?family=Open+Sans:400,600,700&subset=vietnamese" rel="stylesheet">
<link rel="stylesheet" href="%PUBLIC_URL%/css/bootstrap.min.css">
<link rel="stylesheet" href="%PUBLIC_URL%/lib/font-awesome/css/font-awesome.min.css">
<!-- ------Single Page Apps GitHub Pages Workaround------ -->
<script type="text/javascript">
// Single Page Apps for GitHub Pages
// https://github.com/rafrex/spa-github-pages
// Copyright (c) 2016 Rafael Pedicini, licensed under the MIT License
// ----------------------------------------------------------------------
// This script checks to see if a redirect is present in the query string
// and converts it back into the correct url and adds it to the
// browser's history using window.history.replaceState(...),
// which won't cause the browser to attempt to load the new url.
// When the single page app is loaded further down in this file,
// the correct url will be waiting in the browser's history for
// the single page app to route accordingly.
(function(l) {
if (l.search) {
var q = {};
l.search.slice(1).split('&').forEach(function(v) {
var a = v.split('=');
q[a[0]] = a.slice(1).join('=').replace(/~and~/g, '&');
});
if (q.p !== undefined) {
window.history.replaceState(null, null,
l.pathname.slice(0, -1) + (q.p || '') +
(q.q ? ('?' + q.q) : '') +
l.hash
);
}
}
}(window.location))
</script>
<title>Cryptography</title>
</head>
<body>
<noscript>
You need to enable JavaScript to run this app.
</noscript>
<div id="root"></div>
<!--
This HTML file is a template.
If you open it directly in the browser, you will see an empty page.
You can add webfonts, meta tags, or analytics to this file.
The build step will place the bundled scripts into the <body> tag.
To begin the development, run `npm start` or `yarn start`.
To create a production bundle, use `npm run build` or `yarn build`.
-->
<script src="%PUBLIC_URL%/js/jquery-3.3.1.slim.min.js" type="text/javascript"></script>
<script src="%PUBLIC_URL%/js/popper.min.js" type="text/javascript"></script>
<script src="%PUBLIC_URL%/js/bootstrap.min.js" type="text/javascript"></script>
<!-- Google Adsense -->
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
</body>
</html>
More info and discussions on GitHub's support for single page app here.
I poked around in your source code and don't see anything alarming; however, I found a few posts about similar issues (1) (2). The second seems particularly helpful, so I'll repeat it here. Shout out to #Zerotorescue on Reddit.
Open Google Search Console and go to Crawl -> Fetch as Google and do a fetch and render.
Add this to your site, either as a part of tag in your HTML file or as part of the bundle:
https://gist.github.com/mstijak/715fa2dd3f495a98386c3ebbadbabb8c
I recommend the former since that makes it easier to change if you need to make it more readable (no need to recompile your app).
Push this to your site and then do another fetch and display. The error preventing Google from running your app will now show. The search console resolution is pretty low so you may have to increase the font-size of the error and fetch again. Don't worry, Google doesn't mind repeated calls.
You'll probably find that Google's crawler can't process your code because you're using some ES6 feature it doesn't support. You can fix this by polyfilling. I've tried a couple of things such as https://polyfill.io/ which turned out to not really support Googlebot and while it might sometimes work, it is pretty unreliable. Instead I recommend using babel-polyfill. It will increase your bundle size a little bit for everyone but in my experience it provides the widest browser support with a minimal headache. Just turn it on and you're done.
If you're using create-react-app this is the polyfills.js file I use that you could copy:
https://github.com/WoWAnalyzer/WoWAnalyzer/blob/2c67a970f8bd9026fa816d31201c42eb860fe2a3/config/polyfills.js#L1
Notice there are a lot of comments explaining all the issues the polyfill service introduce that you won't have to deal with if you use babel-polyfill.
Because, react app is onepage web, You need a sitemap file, you can find it how to make a one here ,too make a 404 page, and every route add property that has a anchor
like to
<a title="This my Route One" href="https://myreactapp/routeOne" alt="Route One"/>
The problem is that you're using a 404 page to capture incoming traffic to routes other than /. This means those routes serve a 404 status code (you can see this if you open Network in dev tools and try to visit one of those deep URLs). Google sees a 404 status in the response header and just gives up right away. You probably noticed that the "Not Found" message in Webmaster Tools popped up super-fast.
On a normal server, you would capture those routes and return a successful status code like 200 or 301 and Google would continue crawling. However, because you're using GitHub pages, you need to hack your way around it.
You should be able to do this by setting up an instant redirect from that 404 template to your index template. Browsers interpret instant redirects as 301s. To do this, replace the contents of your 404.html with something like this:
<html>
<head>
<script>
sessionStorage.redirect = location.href; // we'll use this later
</script>
<meta http-equiv="refresh" content="0;URL='/crypto'">
</head>
<body></body>
</html>
Just make sure the file-size of that 404.html is greater than 512b or IE will discard it (damn M$...).
Lastly, you'll need to make sure your index.html captures the original route. To do so, use a script like this in the head of your index.html:
<script>
(function(){
var redirect = sessionStorage.redirect; // remember me?
delete sessionStorage.redirect;
if (redirect && redirect != location.href) {
history.replaceState(null, null, redirect);
}
})();
</script>
For reference, I stole this clever hack from:
https://www.smashingmagazine.com/2016/08/sghpa-single-page-app-hack-github-pages/
I also, do not see anything alarming in your code (although I don't think you need the baseUrl in your <Route /> - though I could be wrong, and don't think that's the issue, but it may be worth eliminating if unnecessary).
Just a guess but looking at the networks tab as I bounced around the links, I noticed the service worker. I am, admittedly, not super savvy when it comes to service workers (yet!), however googling a bit revealed that google crawlers do not yet support service workers as asserted in this article, this article, and by google.... I also noticed that if I run a Lighthouse test on one of the links I reached via in-app navigation (for instance I click on the /algorithm tab from the nav on the homepage and then run a Lighthouse test) I get the following errors:
There were issues affecting this run of Lighthouse: Chrome extensions
negatively affected this page's load performance. Try auditing the
page in incognito mode or from a Chrome profile without extensions.
and more interesting:
Lighthouse was unable to reliably load the page you requested. Make
sure you are testing the correct URL and that the server is properly
responding to all requests. Status code: 404.
...despite clearly seeing it rendered in the browser. Seems suspect. So, if that is part of how navigation is happening (seems it likely is based on the registerServiceWorker.js file in your repo lol), it may be the cause of your links not being found/followed.
im new to coding and need some help.
I made a react project (using create-react-app), and the website has been running on my gh-pages branch
(heres my repo: https://github.com/simchaleh/shivisihashem.git)
ive been trying to host the gh-pages project on a custom domain instead.
my react project looks great when its hosted on gh-pages, but when i try to connect it to my custom domain, all i get is a solid white screen.
heres a screen pic of my dns settings on custom domain. (u can also see that gh-pages says its hosting on my domain):
dns settings and gh-pages/settings page
I have a CNAME file in gh-pages branch, with one line, where i put:
shivisihashem.com
does anyone have any ideas why im just getting a blank white screen on my custom domain?
thanks!
i just got an answer from github staff. it solved my issue.
heres the answer if anyone else has this same issue:
The file you need to edit is here:
https://github.com/simchaleh/shivisihashem/blob/gh-pages/index.html
Currently, these two sections have errors:
<script type="text/javascript"
> src="/ShivisiHashem/static/js/main.7cdb5ccf.js"></script>
>
> <link href="/ShivisiHashem/static/css/main.ff643f95.css"
> rel="stylesheet">
You should be able to resolve the issue by replacing them with these:
<script type="text/javascript"
> src="/static/js/main.7cdb5ccf.js"></script>
>
> <link href="/static/css/main.ff643f95.css" rel="stylesheet">
I hope that helps! Let us know if you have any other issues.
Simcha's solution worked for me temporarily. Every time I was deploying to Github pages, the index.html file was automatically reverted back to "/theNameOfMyApp/static/.... So I managed to get rid of this problem, by removing the "/theNameOfMyApp" part from the homepage: ... in package.json. So in package.json there I have: "homepage": "http://themitsoss.github.io".
Had this same problem. I believe this issue is caused when you use the PUBLIC_URL environment variable, like so:
%PUBLIC_URL%/main.css
which works for the github.io site but causes path problems in the custom domain, which adds the variable in front of the path like in Simcha's example. So, we need to manually remove every instance of the this variable (process.env.PUBLIC_URL) each time we build for gh-pages.
I have developed Drupal site . But when I access my site using HTTPS:// browser gives me a message "This page has insecure content" . I have putted my site data on secure site .
I load JS file in that page for some purpose.
So,Is it JS file issue?
I don't think it should be JS or CSS issue, unless you include them using absolute URLs:
For example if you add the following lines in your theme's template file:
<link rel="stylesheet" type="text/css" href="http://yoursite/mystyle.css">
<script src="http://yoursite/myScript.js"></script>
This serves the JavaScript through http instead of https. Instead you should use:
<link rel="stylesheet" type="text/css" href="mystyle.css">
<script src="myScript.js"></script>
notice that the URLs in the second piece of code contains relative URL, and would serve the files with the same protocol with which the site is accessed via a browser.
If this is not the case, you have to scan through all the links on the page, and find the links which are start with the format http://... instead of https://.... This problem arises when a browser finds that not all content of the page is being served using encryption.
Hope that makes sense. Please feel free to ask further queries.
Indeed, you might have some assets (css or javascript) loaded from "non secure" source (using http protocol instead of https).