Issue with Content Security Policy
Closed this issue · 5 comments
Hi and thanks a lot for StegOnline!
Uploading images doesn't seem to work anymore.
With Chromium (Version 125.0.6422.141 (Official Build) Arch Linux (64-bit)):
Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'run-ad-auction'.
Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'join-ad-interest-group'.
Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'browsing-topics'.
upload:15
GET https://static.cloudflareinsights.com/beacon.min.js/vef91dfe02fce4ee0ad053f6de4f175db1715022073587 net::ERR_BLOCKED_BY_CLIENT
upload:15 Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://static.cloudflareinsights.com". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
With Firefox 126.0.1-1:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://static.cloudflareinsights.com/beacon.min.js/vef91dfe02fce4ee0ad053f6de4f175db1715022073587. (Reason: CORS request did not succeed). Status code: (null).
None of the “sha512” hashes in the integrity attribute match the content of the subresource. The computed hash is “z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==”. StegOnline
Content-Security-Policy: The page’s settings blocked the loading of a resource (media-src) at data: because it violates the following directive: “default-src 'none'” StegOnline
Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: “script-src 'self' 'unsafe-eval' https://static.cloudflareinsights.com” utils.js:42:10
Content-Security-Policy: The page’s settings blocked an event handler (script-src-attr) from being executed because it violates the following directive: “script-src 'self' 'unsafe-eval' https://static.cloudflareinsights.com” main.8bb952858e81895e632c.js:1:769340
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://static.cloudflareinsights.com/beacon.min.js/vef91dfe02fce4ee0ad053f6de4f175db1715022073587. (Reason: CORS request did not succeed). Status code: (null).
None of the “sha512” hashes in the integrity attribute match the content of the subresource. The computed hash is “z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==”. upload
Hey @mb720, sorry for the late response. Please can you retry and check if the fix works?
When clicking on the button "UPLOAD IMAGE", no file dialog pops up in Firefox or Chrome. In Chrome I get this error after clicking:
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://static.cloudflareinsights.com". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
The good news is that uploading a file works in both browsers when clicking on the area "Drag and drop your image here".
Addendum: Which fix are you referring to? According to GitHub, the latest commit is about two years old.
Thanks for checking, just pushed a patch for the button too.
The fix is done via the internal nginx config, it's purely CSP 👍
Please feel free to reopen if the issue persists for you.
Thanks for fixing this! The button works now too.