I am working on CSP (Content Security Policy) header compliance in my project.
The CSP header which I am setting in my project is -
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-RandomNum'
Earlier we were using dojo.js 1.16.3 which is not compatible with CSP headers. So updated dojo.js to 1.17.2 version.
Along with this version update, added below dojo config in the top most jsp where dojo is being included to make in work with CSP headers.
window.dojoConfig = {
async: true , parseOnLoad : true,
has: { 'csp-restrictions': true, 'dojo-v1x-i18n-Api': false } }
This resolved few errors coming from dojo. Still I am getting below one error:
dojo.js error on browser console
error in dojo.js source
Want to know if there is anything I am missing in terms dojo config to resolve this issue and make it compliant with CSP headers.
I tried updating and then setting the below dojo config just below where dojo.js is included in topmost jsp to make it CSP compliant.
window.dojoConfig = {
async: true , parseOnLoad : true,
has: { 'csp-restrictions': true, 'dojo-v1x-i18n-Api': false } }
Related
Recently, I used the Amazon API Gateway .I created an api ,but the API failed all the time.
At the beginning,I didn't add request headers.The result that API responsed is as follows:
HTTP/1.1 403 Forbidden
{"message":null, "type": "ACCESS_DENIED", "status":"", "other":"" }
Then ,I added a header which named host,the result changed.
HTTP/1.1 403 Forbidden
{"message":"Forbidden"}
I didn't use other AWS.
I set the authorization is none and the API key required is false.
enter image description here
Could you help me?
Thanks!
A cause of {"message":"Forbidden"} which I had which had me stumped was that I had not deployed my API.
For anyone having this issue, check if your gateway has been deployed.
First you will need a Stage, with which you can click Deploy API from the Actions dropdown, selecting your stage.
Deploying will give you an invoke_url, (which ends in /{stage-name}.
For those using Terraform....
You can define an aws_api_gateway_stage which depends on aws_api_gateway_deployment. There is a known issue, at the time of writing, where the deployment doesn't re-trigger, which was the original cause of my forbidden error.
To fix this and get the deployment to run everytime a change has been made, add to aws_api_gateway_deployment:
resource "aws_api_gateway_deployment" "gateway-deployment" {
...
stage_description = "Terraform hash ${md5(join(",", local.all_resources))}"
lifecycle {
create_before_destroy = true
}
}
locals {
all_resources = [
"${aws_api_gateway_resource.simulator-gateway-resource.path}:${aws_api_gateway_method.simulator-gateway-method.http_method}:${aws_api_gateway_integration.simulator-gateway-integration.uri}",
]
}```
Recently we have implemented OWASP CSRF security token concept to handle CSRF attacks. I used below links as reference to implement
https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
https://github.com/aramrami/OWASP-CSRFGuard
pom.xml
<dependency>
<groupId>org.owasp</groupId>
<artifactId>csrfguard</artifactId>
<version>3.0.0.590</version>
</dependency>
I made all the mandatory changes to my project. Now i could able to see OWASP_CSRFTOKEN as part of request headers.
Problem:
In my project we are using Extjs 4. after implementing the change all ajax calls are successfully carrying OWASP_CSRFTOKEN token.
We do have one Hidden Iframe being used to download some excel files from server. when i inspect this request it's not carrying OWASP_CSRFTOKEN token and in server logs i can see the below message.
Logs:
Nov 21, 2017 2:53:47 PM org.owasp.csrfguard.log.JavaLogger log
WARNING: potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>,
ip:0:0:0:0:0:0:0:1, method:%request_method%, uri:/aaa/template/onDemandTemplate.action,
error:required token is missing from the request)
Iframe code:
var body = Ext.getBody(),
frame = body.createChild({
tag:'iframe',
cls:'x-hidden',
id:'hiddenform-iframe',
name:'iframe'
}),
form = body.createChild({
tag:'form',
cls:'x-hidden',
id:'hiddenform-form',
action: url,
method: POST,
target:'iframe'
});
var hiddenItem = document.createElement('input');
Ext.fly(hiddenItem).set({
type: 'hidden',
value: Ext.encode(params),
name: 'reportingParams'
});
form.appendChild(hiddenItem);
form.dom.submit();
Does Hidden Iframes internally use ajax or not ?
How can i inject CSRF token manually in Iframe reqeusts?
If any one have better approach/option to handle this situation. please share your ideas.
Thanks
No Iframes do not use ajax. However Iframe like functionality can be achieved by ajax.
If you are going to use Iframes then add a 2nd hidden input for CSRF token.
Code:
var csrf= document.createElement('input');
Ext.fly(hiddenItem).set({
type: 'hidden',
value: getCsrf,// method to get csrf token from the cookie
name: 'csrf'
});
form.appendChild(csrf);
Since you are using Extjs, you are assuming that the client browser is java script enabled, so avoid Iframes and use ajax to download the Excel files.
When I call from sencha:
proxy: {
type: 'ajax',
url: 'http://localhost:8585/academy/api/alumno/list/',
reader: {
type: 'json',
rootProperty: 'alumnos'
}
},
I receipt on spring mvc:
#Controller
#RequestMapping("/alumno")
public class AlumnoController {
#Autowired
AlumnoApi alumnoApi;
#RequestMapping(value = "list", produces = "application/json")
#ResponseBody
public List<DtoAlumno> findAll(){
return alumnoApi.findAll();
}
Showing the following error
XMLHttpRequest cannot load http://localhost:8585/academy/api/alumno/list/?_dc=1467319530160. Response for preflight has invalid HTTP status code 403
if I open the address: http://localhost:8585/academy/api/alumno/list/?_dc=1467319530160 in the browser shown json file correctly
I have activated the plugin Toggle CORS, if I turn off Toggle shows an error CORS.
I fixed this issue on a server where the services are on the same server but the DB is not.
Setup:
Ubuntu 14 server (not on localhost)
Tomcat running on port 8080 (application runs standard port 80 outside tomcat)
Domain assigned to IP of server (root reaches application, :8080 reaches tomcat services)
.htaccess file to limit access to services.
Problem
Calling Extjs.dataStore.read() would throw a 400 series error with preflight error having invalid HTTP. (same as OP above)
Solution
Update .htaccess file to include proxy rewrite and don't use port in URL for datastore.
The base URL within the browser must match your pre-service call, port and all, for the URL given to the Extjs.dataStore.proxy.url
Example:
URL in browser:
http://localhost:5517/MyApp //(this is your EXTJS app location note the port number)
In Extjs:
Ext.define('MyApp.store.myDataStore', {
extend: 'Ext.data.Store',
requires: [
'MyApp.model.myDataStoreModel',
'Ext.data.proxy.Ajax',
'Ext.data.reader.Json'
],
constructor: function(cfg) {
var me = this;
cfg = cfg || {};
me.callParent([Ext.apply({
storeId: 'myDataStore',
autoLoad: true,
model: 'MyApp.model.myDataStoreModel',
proxy: {
type: 'ajax',
url: 'http://localhost:5517/mainservice/subservice?q=test', //URL localhost:<port> needs to match URL in browser (or use domain without ports)
reader: {
type: 'json',
rootProperty: function(data) {
console.info('data ='); console.info(data); return data; //show raw return
}
}
}
}, cfg)]);
}
});
//Ext.StoreMgr.get('myDataStore').read(); //to call read event
in .htaccess file:
Options +FollowSymLnks
RewriteEngine on
RewriteRule ^mainservice/subservice(.*)$ http://localhost:8585/mainservice/subservice$1 [P]
Worth noting,
I cannot test this in localhost as my spring services are attached to other servers / databases outside what I can reach with a localhost.
The moment the browser's URL doesn't match the URL referenced in the proxy spring will give the error you have above.
I don't know if this will help you as you don't appear to be using an .htaccess file but it could help others who are experience similar issues as it was how I found your post.
I have created an application using angularJS framework. While running application on web browser, i am gettting # along with my url. I tried the following below,
var app = angular.module('missingFound', ['ngRoute','ngCookies','UserModel','homeController','DashBoardContrl','TimeLineContrl','MissingPostContrl','FoundPostContrl','GisContrl'])
.config(['$routeProvider','$locationProvider',
function($routeProvider,$locationProvider) {
$routeProvider.when('/', {
templateUrl : 'views/home.html',
controller : 'homeCtrl'
})
.when('/dashboard',{
templateUrl: 'views/dashboard.html',
controller : 'dashboardCntr',
authenticated : true
})
.when('/timeline',{
templateUrl : 'views/timeline.html',
controller : 'timelineCntr',
authenticated : true
})
.when('/missingForm',{
templateUrl : 'views/missingForm.html',
controller : 'missingCntr',
authenticated : true
})
.when('/foundForm',{
templateUrl : 'views/foundForm.html',
controller : 'foundCntr',
authenticated : true
})
.when('/gisPage',{
templateUrl : 'views/gis.html',
authenticated : true
})
.otherwise({
redirectTo:"/"
});
$locationProvider.html5Mode(true);
/* $locationProvider.html5Mode({
enabled: true,
requireBase: false
});*/
}])
.run(['$rootScope','$location','AuthService',
function($rootScope,$location,AuthService){
$rootScope.$on("$routeChangeStart", function(event, next, current){
if(next.$$route.authenticated){
if(!AuthService.getAuthStatus()){
$location.path('/');
}
}
if(next.$$route.originalPath == '/'){
console.log('Login Page');
if(AuthService.getAuthStatus()){
$location.path(current.$$route.originalPath);
}
}
})
}]);
My URL is looking like this - http://localhost:7080/Police4/#/
Its working fine after login when i am navigating to different hmtl page via routing but when i am trying to copy the URL path and opening in differnt tab its showing page not found.
Before with '#' it is working fine, but URL is looking ugly.
Angular's routing URLs by default all put a # character to separate the part controlled by Angular from the rest of the URL. This is needed on some older browsers which did not allow changing the main part of the URL without reloading the page.
You can get rid of this by enabling html5 mode. See, for example, https://scotch.io/quick-tips/pretty-urls-in-angularjs-removing-the-hashtag
however you will also need to configure your server to recognise the Angular URLs and send the main page for your application even when a URL appears to refer to a sub-page.
Hi This will help you ,
Add this code to your project ,
$locationProvider.html5Mode(true);
$locationProvider.hashPrefix('!');
Read
https://docs.angularjs.org/guide/$location
Applications - 2 (Java and Rails )
Rails - 3.0.3
Ruby - 1.8.7
Client - Ajax call using Jquery from Java App
Firebug - shows it is actually an Ajax XHR request (XHR tab )
Server - Rails - request.xhr? false
Any gem is missing for ajax response ( ajax request only from java pp )
My gem list is below:
abstract (1.0.0)
actionmailer (3.0.3)
actionpack (3.0.3)
activemodel (3.0.3)
activerecord (3.0.3)
activeresource (3.0.3)
activesupport (3.0.3)
arel (2.0.4)
builder (2.1.2)
bundler (1.3.4)
cgi_multipart_eof_fix (2.5.0)
columnize (0.3.6)
crack (0.1.8)
daemons (1.1.0)
delayed_job (2.1.2)
erubis (2.6.6)
fastthread (1.0.1)
gem_plugin (0.2.3)
hoptoad_notifier (2.3.12)
httparty (0.6.1)
i18n (0.4.2)
linecache (0.46)
mail (2.2.10)
mime-types (1.16)
mongrel (1.1.5)
mysql2 (0.2.6)
nokogiri (1.4.4)
polyglot (0.3.1)
rack (1.2.1)
rack-mount (0.6.13)
rack-test (0.5.6)
rails (3.0.3)
railties (3.0.3)
rake (0.8.7)
rbx-require-relative (0.0.9)
ruby-debug (0.10.4)
ruby-debug-base (0.10.4)
ruby-xslt (0.9.7)
rubygems-bundler (1.1.1)
rubyzip (0.9.4)
rvm (1.11.3.6)
thor (0.14.6)
treetop (1.4.9)
tzinfo (0.3.23)
xml-simple (1.0.12)
My controller code is
def index
if request.xhr?
logger.debug " Ajax request yes"
else
logger.debug " Ajax request false"
end
respond_to do |format|
format.html
format.js
end
end
Jquery code is :
$.ajax({
type: "GET",
url:"someurl"
cache:false,
success: function(data) {
alert('success');
},
error: function(jqXHR, textStatus, errorThrown){
alert(jqXHR.responseText);
}
server log is
Started GET "/mozart_content?id=phyp10084_sa102&dt=20130704132018&api=a3aee3fa-567e-11df-be64-7779fa786bb0&sign=WBCbzBY0GDAP6mQVLxcFZX-ES10%3D" for 192.168.42.27 at Thu Jul 04 18:49:44 +0530 2013
Processing by MozartContentController#index as HTML
Parameters: {"sign"=>"WBCbzBY0GDAP6mQVLxcFZX-ES10=", "api"=>"a3aee3fa-567e-11df-be64-7779fa786bb0", "dt"=>"20130704132018", "id"=>"phyp10084_sa102"}
Ajax request false
Rendered mozart_content/index.html.erb within layouts/application (149.3ms)
Completed 200 OK in 155ms (Views: 154.3ms | ActiveRecord: 0.0ms)
This is the issue...Ajax does not work on cross domain.
From Firefox Docs,
HTTP Requests made using the XMLHttpRequest object were subject to the
same-origin policy. In particular, this meant that a web application
using XMLHttpRequest could only make HTTP requests to the domain it
was loaded from, and not to other domains.
You're making a POST without specifying data. Change type to GET if you want to do a GET or add data to the request.
yes it some times give false when posted thorugh $.ajax in place of this you can check request.format == :js