I am trying to add Atatus to my Ionic project. I followed the documentation to include the scripts.
FIRST TRY
So my index.html includes the scripts like this:
<script src="https://dmc1acwvwny3.cloudfront.net/atatus.js" crossorigin="anonymous" type="application/javascript" />
<script type="text/javascript"> atatus.config('MY_API_KEY').install(); </script>
In the documentation they mention CORS issues and how to solve them. The header is something I can't set if I am correct, this header should be set on the cloudfront server. So I have added the crossorigin attribute in the script tag, but still I receive the CORS error when running the project locally with ionic serve:
Script from origin 'https://dmc1acwvwny3.cloudfront.net' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://192.168.178.59:8100' is therefore not allowed access.
SECOND TRY
Then I tried to solve the CORS issues with adding proxies in the ionic.project file according to this blog post from Ionic. So my ionic.project file contains:
{
"name": "my-amazing-app",
"app_id": "345gfsd3trf",
"gulpStartupTasks": [
"build:env",
"build:index",
"build:sass",
"build:template",
"build:js",
"concat:index",
"watch"
],
"proxies": [
{
"path": "/atatus.js",
"proxyUrl": "https://dmc1acwvwny3.cloudfront.net/atatus.js"
}
]
}
So I changed the index.html to use this proxy:
<script src="http://localhost:8100/atatus.js" crossorigin="anonymous" type="application/javascript" />
<script type="text/javascript"> atatus.config('MY_API_KEY').install(); </script>
When I start serving with ionic serve the output looks promising:
me#my-laptop:~/Documents/Projects/my-amazing-app$ ionic serve
Gulp startup tasks: [ 'build:env',
'build:index',
'build:sass',
'build:template',
'build:js',
'concat:index',
'watch' ]
Running live reload server: http://192.168.178.59:35729
Watching : [ 'www/**/*', '!www/lib/**/*' ]
Proxy added: /atatus.js => https://dmc1acwvwny3.cloudfront.net/atatus.js
Running dev server: http://192.168.178.59:8100
Ionic server commands, enter:
restart or r to restart the client app from the root
goto or g and a url to have the app navigate to the given url
consolelogs or c to enable/disable console log output
serverlogs or s to enable/disable server log output
quit or q to shutdown the server and exit
But unfortunally I receive a connection refused in the console: GET http://localhost:8100/atatus.js net::ERR_CONNECTION_REFUSED.
THIRD TRY
I thought maybe this is because of the use of localhost instead of my internal IP 192.168.178.59. So I changed all use of localhost to 192.168.178.59, but then I get a 403 Forbidden.
FOURTH TRY
The last test I did was adding atatus library locally through bower:
bower install atatus-js
Also changed the index.html accordingly:
<script src="lib/atatus-js/atatus.min.js" crossorigin="anonymous" type="application/javascript" />
<script type="text/javascript"> atatus.config('MY_API_KEY').install(); </script>
Now I receive no errors when loading the library, but when I trough an notify to atatus manually through the console: atatus.notify(new Error('Test Atatus Setup')); I receive the following errors from atatus.min.js:
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check http://xhr.spec.whatwg.org/.
XMLHttpRequest cannot load http://192.168.178.59:3001/socket.io/socket.io.js. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://192.168.178.59:8100' is therefore not allowed access.
Uncaught TypeError: Cannot read property 'test' of undefined(…)
Which I don't understand. Why is it complaining about http://192.168.178.59:3001/socket.io/socket.io.js. This is my local running socket.io server, which runs correctly and has CORS configured. Without atatus added the whole project runs perfectly with these sockets.
FIFTH TRY
I have deployed the project with the fourth try to a DigitalOcean server. So the atatus library is loaded locally (bower). No CORS issues arise, but I receive the following error when adding a notify in the console:
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check http://xhr.spec.whatwg.org/.
Uncaught TypeError: Cannot read property 'test' of undefined(…)
SOLUTION
I had to change 2 settings, being:
Set the next: $.ajaxPrefilter(function( options, originalOptions, jqXHR ) {options.async = true;});
Add https://*.atatus.com to the default-src of the Content-Security-Policy meta header.
Thanks to #MarkVeenstra
Since Cordova 5.x, you need to specify the Content-Security-Policy meta header. In this header in the default-src, you have to add https://*.atatus.com. Then all works.
Related
noob here.
Creating a PWA React app using create-react-app and running into the CSP issue regarding default set to none and no img setting to override it.
Have searched for and tried many, many helpful answers for this exact problem but have not hit upon the one that will work for my app.
Maybe I just need a second pair of eyes?
The error is:
Cannot GET /
The console tells me this:
Failed to load resource: the server responded with a status of 404 (Not Found)
localhost/:1 Refused to load the image 'http://localhost:3002/favicon.ico' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
localhost/:1 Failed to load resource: the server responded with a status of 404 (Not Found)
Screenshot of server.js where I tried to implement express-csp-header:
server.js
Screenshot of index.html to show the added images and that there is no meta tag for CSP:
index.html
I have tried adding the tag as advised elsewhere.
I tried every other suggestion from stackoverflow that I could find.
Please advise.
----EDIT--- I guess what I need to know is how to override the CSP that comes with webpack as part of Create-React-App because the console error message says that 'img src' is NOT defined so it defaulted to "default src", which is set to 'none'. I believed I have installed express-csp-header correctly and have 'img src' set correctly, why doesn't the browser find that?
----Another EDIT--- Here all this time I was thinking that webpack must be where the browser is getting the "default-scr: NONE" referred to in the error message. I just searched all of the files in react-script, which is where webpack config files live, and don't find any occurance of "default-scr: NONE". Is it an Express setting? Why am I dealing with CSP with this CRA app and not the other dozen I created the same way? Pulling my hair out.
Maybe I just need a second pair of eyes?
Yeah, it is difficult to find a black cat in a dark room, especially if it is not there.
Refused to load the image 'http://localhost:3002/favicon.ico' because
it violates the following Content Security Policy directive:
"default-src 'none'". Note that 'img-src' was not explicitly set, so
'default-src' is used as a fallback.
This is a great example of a misleading diagnostic message. Your issue have nothing to do with Content Security Policy (CSP).
Just place favicon.ico file into %PUBLIC_URL% folder and add into <head> section:
<link rel="icon" type="image/x-icon" href="%PUBLIC_URL%/favicon.ico">
All nitty-gritty is here. Briefly - browser by default tries to get favicon from the root of website, since you do not set right <link rel="icon" tag. There is no favicon there, so 404 Not Found occurs (anyway Express do not serve root folder by default).
Your CSP is published on "200 OK pages" only, so Express by default uses its own default-src 'none' for nonexistent pages (with status codes 404/403/500/etc).
This can really be confusing to anyone.
PS: Quite possible that the presence of %PUBLIC_URL% means you do not set PUBLIC_URL / homepage properly, because it should be substituted by a real folder/path. I just use your notation in the <link rel="icon" tag above.
PPS: I think if you add a custom error pages handler, it help to avoid similar misleading diag (code example you can take here).
UPDATE:
Cannot GET /
means webpack dos not know what page to show - defServer{...} output{...} sections misconfigured or wrong router(). Therefore you get 404 Not Found page.
You could to look in the Developer tools is the Status Code 404/200 and which Content-Security-Policy HTTP header you have really got (here is a tutorial).
In case of 404 Not Found, webpack shows built-in default error page (since you do not created your own). This error page is served with default webpack's CSP, not yours (your CSP will be published on pages with 200 OK status code only).
I just searched all of the files in react-script, which is where
webpack config files live, and don't find any occurance of
"default-scr: NONE"
AFAIK, webpack-dev-server uses a finalhandler which rejects /favicons on 404 pages exactly with the same issue you have. In this way default-src: 'none' should be in node_modules/finalhandler/index.js.
Why am I dealing with CSP with this CRA app and not the other dozen I
created the same way?
Previously finalhandler has default-src 'self' so /faficons was not blocks by CSP. But after this thread: default-src should be 'none' in finalhandler at May 2019 - things changed.
I guess you issue is not CSP related, it's just have misconfigured defServer{...} or output{...} (some path: __dirname + 'public/' or publicPath: points to a wrong dir).
CSP error is only a symptom (bad thing it's a false symptom) of the disease, but we need to treat a cause but not symptoms.
PS: I think instead of %PUBLIC_URL%/favicon.ico it should be http://localhost/favicon.ico in HTML, it's something misconfigured here too.
Getting a redirect issue on Safari browser only when trying to load an AppEngine site with Identity-aware proxy enabled. It shows requests being redirected to https://accounts.google.com/o/oauth2/v2/auth but then failing.
Origin is not allowed by Access-Control-Allow-Origin
If I load the url manually in a new tab in Safari I get: AppEngine error code 9.
I'm thinking it's probably to do with Safari's stricter cookie rules, somehow the IAP session cookie is being ignored because it's from another domain?
Safari seems to have stricter CORS rules, which may require additional rules. Especially if using AppEngine IAP.
If using <img>, <video>, <link> and <script> tags, and loading content from other domains using CORS. You need the crossorigin="use-credentials" attribute to allow the cookie sharing:
<script src="https://example.com/script.js" crossorigin="use-credentials"></script>
https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_settings_attributes
Note: this is less secure.
Angular has a build command which will add the attributes automatically for you:
ng build --prod --crossOrigin=use-credentials
https://angular.io/cli/build#options
I have an Electron App, which uses Angular 2 - in order to work i needed to modify <base href="/"> to <base href="./">, which is a relative path in the file system. But now the API doesn't work anymore (Webclient on localhost works fine, but not Electron Client).
I access the API via proxy.conf.json
{
"/api": {
"target": "http://127.0.0.1:4747/Ticketsale",
"secure": false
}
}
And the error message in the JavaScript Console of Chromium / Electron is:
file:///Users/myusername/folder/apps/officeclient_electron/office-client-darwin-x64/office-client.app/Contents/Resources/app/api/1/initialData
Failed to load resource: net::ERR_FILE_NOT_FOUND
How can i tell Electron to access the local resources via relative Path and consume the API via HTTP?
We enabled CORS on the Webserver and this setting allowed us to consume the REST-API from a different URL.
See https://en.wikipedia.org/wiki/Cross-origin_resource_sharing for details.
Worked on basic routing in angular Js with Code1 mentioned below and getting "XMLHttpRequest cannot load Cross origin requests are only supported for protocol schemes: http, data, chrome-extension, https, chrome-extension-resource" error and founded that we must use local web server to resolve the same and downloaded MAMP and kept my html[login.html] in htdocs folder started the server and replaced templateUrl with [localhostURL/AngularJs/login.html'] as mentioned in Code2 and getting error of Error: [$sce:insecurl] exact error are given below, Guide me with any solution to fix the same in Google Chrome...
Code 1
index.html
<!DOCTYPE html>
<html>
<head>
<title>Test</title>
</head>
<body ng-app="plunker">
<div ng-view=""></div>
<script src="angular.min.js"></script>
<script src="angular-route.js"></script>
<script src="app.js"></script>
</body>
</html>
app.js
var app = angular.module('plunker', ['ngRoute']);
app.config(function ($routeProvider) {
$routeProvider.when('/login',{
controller: '',
templateUrl: 'login.html'
}).otherwise({
redirectTo: '/login'
});
});
login.html
Hello from login!
Code2
All other thing are same with changes only in app.js
var app = angular.module('plunker', ['ngRoute']);
app.config(function ($routeProvider) {
$routeProvider.when('/login',{
controller: '',
templateUrl: 'http://localhost:8888/AngularJs/login.html'
}).otherwise({
redirectTo: '/login'
});
});
Error Code1:-
XMLHttpRequest cannot load file://localhost/Users/karthicklove/Documents/Aptana%20Studio%203%20Workspace/Object_Javascript/Angular_Js/Routing/login.html. Cross origin requests are only supported for protocol schemes: http, data, chrome-extension, https, chrome-extension-resource.
Error Code2:- [$sce:insecurl] http://errors.angularjs.org/1.2.26/$sce/insecurl?p0=http%3A%2F%2Flocalhost%3A8888%2FAngularJs%2Flogin.html at Error (native)
I got the similar error. I got a solutions for this, we cannot use Routing in AngularJS by keeping it in your file system. (i.e)file:///C:/Users/path/to/file.html?r=4383065' If you run with this URL you will get error. The route provider will use http protocol. So you have to put your code inside the localhost and then run from browser localhost/foldername/index.html . Don't run it from the folder directly
And also change your template URL like this
templateUrl: '/AngularJs/login.html'
If you have doubt post here.
If you are running a page directly from Chrome (you just double clicked on an html file) and your javascript is trying to request some data you will hit this error.
Reason :
$routeProvider uses HTTP service for requesting data and this request cant be sent unless you are using any server like Tomcat.
Solution :
Deploy your app in any server like Tomcat in your machine and open your page through server.
If you think your just playing around with Client-Side coding then better open file in other browsers like Firefox / Safari.
the issue is probably that you are viewing you page through a different port (port 80 is default http port) yet you are accesssing port 8888 so it would see thee this as a cross origin request and block it think it is potentially a XSS attack or similar.
if you are already on the same port, change the template url to
templateUrl: '/AngularJs/login.html'
Issue mentioned here is resolved by making this as an application i.e when i made this html+angular js page to server dependent and run on server the problem is resolved it works fine in google chrome browser...
As other people have said the problem is the $http service from angularjs and you can work around this by hosting a static file web server.
You can do this without much work by using the http-server npm package.
npm install http-server -g
And start your web service like so.
http-server "C:\path\to\project\"
You will see the following output and can browse the app by using one of the displayed urls.
Starting up http-server, serving ./
Available on:
http://192.168.206.1:8080
http://192.168.89.1:8080
http://192.168.7.202:8080
http://127.0.0.1:8080
http-server is a simple, zero-configuration command-line http server. It is powerful enough for production usage, but it's simple and hackable enough to be used for testing, local development, and learning.
Just be aware that both the web server and the browser now caches your requests.
I'm currently experimenting with a Google App Engine/Go + Polymer.dart website at http://xclamm.appspot.com/.
The problem is that I get the following error when I access http://xclamm.appspot.com/ with Dartium (31.0.1612.0 Developer Build 219647).
XMLHttpRequest cannot load https://talkgadget.google.com/talkgadget/channel.js. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://xclamm.appspot.com' is therefore not allowed access.
I did some research and found that the problem is related with how I refer to /_ah/channel/jsapi, but I can't find how to fix it. I tried the following ways to refer to channel.js, but I still get the same error.
<!-- Following doesn't work -->
<script type="text/javascript" src="/_ah/channel/jsapi"></script>
<!-- Following doesn't work either -->
<script type="text/javascript" src="https://talkgadget.google.com/talkgadget/channel.js"></script>
If I run the website on dev_appserver.py, it seems to be working OK. Am I missing something?
The source code is available at https://github.com/rillomas/xclamm-gae, and I'm using Google App Engine SDK 1.8.4 for Go (x64 Windows).
I moved the <script type="text/javascript" src="/_ah/channel/jsapi"></script> tag from main-stage.html (html for an internal web component) to index.html (root html for the website), and the CORS error went away.
The <script> tag was originally placed inside a <polymer-element> tag, and was (probably) translated to an XMLHttpRequest by Polymer.dart, causing the error.