search

dloa / browser-react

React version of the Alexandria Browser
2 stars 2 forks source link

Blocked requests, content-security, uBlock #47

Closed Rob-pw closed 7 years ago

Rob-pw commented 7 years ago 
Unrecognized Content-Security-Policy directive 'reflected-xss'.
button:1 Unrecognized Content-Security-Policy directive 'referrer'.
widget:1 Unrecognized Content-Security-Policy directive 'reflected-xss'.
widget:1 Unrecognized Content-Security-Policy directive 'referrer'.

Failed to load resource: net::ERR_BLOCKED_BY_CLIENT bugsnag-3.min.js 

Failed to load resource: net::ERR_BLOCKED_BY_CLIENT api.mixpanel.com/decide/verbose=1&version=1&lib=web&token=.. 
Failed to load resource: net::ERR_BLOCKED_BY_CLIENT api.mixpanel.com/track/?data=.. 

Uncaught Error: uBlock Origin: aborting content scripts for https://alexandria.io/publisher/assets/svg/files-16px_single-folded-content.svg
Uncaught Error: uBlock Origin: aborting content scripts for https://alexandria.io/publisher/assets/svg/arrows-24px-glyph-2_file-upload-88.svg
bitspill commented 7 years ago

Those look like uBlock Origin is blocking the analytics/tracking within the Coinbase buy widget that enables debit/credit card purchase, it's outside our control, and to be expected if you are running blocking extensions

Rob-pw commented 7 years ago

screenshot from 2017-04-28 03-31-59

Ah, yes! You are certainly correct about mixpanel.com & "/bugsnag-" being blocked (though, not Coinbase, perhaps just the tracking part of it). For bugsnag (because we really want user's errors), all it'd involve is hosting it locally and calling it something different.

About the first few errors like "Unrecognized Content-Security-Policy directive", that's a misconfiguration that can be solved by updating our cross site rules.

The bottom ones (.svg) are (apparently) blocked because they're off-screen (cosmetic filtering) - pass on this one, doesn't seem to be causing tremendous issues. Having them in a spritemap could solve the issue, again, not too sure.

bitspill commented 7 years ago

Bugsnag is also Coinbase <script src="https://d2wy8f7a9ursnm.cloudfront.net/bugsnag-3.min.js" data-apikey="80cef76279adc05fdfef518247c20386" data-endpoint="https://exceptions.coinbase.com"></script>

Rob-pw commented 7 years ago

It should be possible to solve the issue though by hosting it ourselves under a different filename. The rest of the metadata in the script tag could remain the same, I think.

bitspill commented 7 years ago

It's not something we have any control over, it is included after loading https://buy.coinbase.com/widget?ABunchOfParameters

Rob-pw commented 7 years ago

Gotcha. In which case it's likely not bugtracking for our benefit, in which case I don't care. Can you confirm this is the case - that this isn't our bug tracking script? If so, I'm happy to close this issue

bitspill commented 7 years ago

The data-endpoint confirms it's not our bug tracking as it's phoning home to Coinbase since they're running the Enterprise edition of Bugsnag https://docs.bugsnag.com/enterprise/#endpoint-configuration

Rob-pw commented 7 years ago

Oops, I forgot about these:

Unrecognized Content-Security-Policy directive 'reflected-xss'.
button:1 Unrecognized Content-Security-Policy directive 'referrer'.
widget:1 Unrecognized Content-Security-Policy directive 'reflected-xss'.
widget:1 Unrecognized Content-Security-Policy directive 'referrer'.

I don't know how serious they are.

OstlerDev commented 7 years ago

I can confirm that those are also caused because of Coinbase.

Rob-pw commented 7 years ago

Okay, that's easy enough, thanks!