Add-on not working on DXP

[tanujatbrightfind]

When trying to load Visual Compare add-on on DXP environment. It throws a "403" error in console. and screen keeps spinning.

Attn: @davidknipe

[tanujatbrightfind]

Version 1.0.3

[davidknipe]

Can you check the console for errors? The content security policy may be blocking something as 403's can be created when the csp blocks the request that generates the diff.

[tanujatbrightfind]

Thanks for your response David. Please see attached screenshot. I can add content security policy to web.config, Can you help me with right sources needed for the addon to work in DXP?

Current value:

<add name="Content-Security-Policy" value="default-src 'self' ws: wss: data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://dc.services.visualstudio.com https://az416426.vo.msecnd.net https://code.jquery.com https://maxcdn.bootstrapcdn.com https://www.facebook.com *.episerver.net *.bing.com *.virtualearth.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com *.episerver.net *.bing.com https://maxcdn.bootstrapcdn.com; font-src 'self' https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com data:; connect-src 'self' https://dc.services.visualstudio.com ws: wss: *.bing.com *.virtualearth.net; img-src 'self' data: http: https:; child-src 'self' http://player.vimeo.com https://www.youtube.com" />

Attn @davidknipe

[tanujatbrightfind]

Firewall error detail from cloudflare resulting in 403:

{ "key": "group", "value": "cloudflare_specials" }, { "key": "rule_message", "value": "XSS, HTML Injection - Script Tag" } Attn @davidknipe

[davidknipe]

Thanks for the info, I will look into it. From memory it posts the html of each version to get the red/green comparison back. Sounds like Cloudflare inspects the request and sees it as potential script injection. Will try to recreate and see if there is a work around.

[davidknipe]

Pretty sure it's been blocked because of this line:

https://github.com/davidknipe/VisualCompare/blob/master/VisualCompareMode/modules/_protected/VisualCompareMode/Views/GetDiffBootstrapper.cshtml#L186

It posts two sets of HTML to a server side controller method for the comparison version to be generated. So can you try replacing /modules/_protected/VisualCompareMode/Views/GetDiffBootstrapper.cshtml with this gist:

https://gist.github.com/davidknipe/bb9467a9bf51d6db785ec2699948c6c1

If it works then I will get update and push a new version out.

[davidknipe]

Hey @tanujatbrightfind did you manage to try the fix above?

[tanujatbrightfind]

Hi @davidknipe I tried testing using updated gist on DXP. I am seeing still seeing the same 403 output.

[davidknipe]

Hey @tanujatbrightfind can you try again (have updated the gist). I am guessing that perhaps your source code had Githubissues.

Githubissues is a development platform for aggregating issues.