search

jcorporation / myMPD

myMPD is a standalone and mobile friendly web mpd client with a tiny footprint and advanced features.
https://jcorporation.github.io/myMPD/
GNU General Public License v3.0
418 stars 65 forks source link

Content Security Policy issue in firefox. Chrome/chromium seem to work fine. #136

Closed jcorporation closed 5 years ago

jcorporation commented 5 years ago

I should note, the problem is in firefox. Chrome/chromium seem to work fine.

If that's the workaround in web_server.c lines 317-320 it's not accounting for inline or eval. You may need to add 'unsafe-inline' and 'unsafe-eval' to script-src, or add nounce/hashes (which would be better).

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

again, everything seems to be working properly in chromium but I'm almost certain the CSP is the problem in firefox.

EDIT: and the last build I installed was for standard linux install, not arch specific. I get the problem on both build types.

Originally posted by @CultofRobots in https://github.com/jcorporation/myMPD/issues/131#issuecomment-504048698

jcorporation commented 5 years ago

myMPD shoud not need 'unsafe-inline' or 'unsafe-eval'. There is no inline JavaScript and also 'eval' is not used. I also use firefox and I see now error from content-security-policy. Is it eventueally a plugin, that causes that issue?

CultofRobots commented 5 years ago

I know it's not a ff plugin issue as the error shows with plugins disabled. from the console debug page in ff:

<script src="js/i18n.min.js"></script>
<script src="js/keymap.min.js"></script>
<script src="js/bootstrap-native-v4.min.js"></script>
<script src="js/mympd.min.js"></script>

CSP issue is probably being caused by one of the above scripts not being accounted for. To start, I would do a test build adding unsafe-eval and unsafe-inline to script-src in web_server.c to see if the issue clears in firefox and go from there.

As for the queue control glyph, I just checked webconsole in 5.4.0 and I also have the same CSP errors, but the queue control glyph works fine in that version on firefox. That may or may not be related to the CSP, but I'm leaning towards not related at this point. I'm starting to think the CSP issue is just a minor annoyance that can be put on the back-burner at this point.

I'll rebuild the latest git commit on another machine in a bit just to make sure the glyph issue isn't just on my end.

jcorporation commented 5 years ago

The glyph issue is fixed, as mentioned in the other issue: https://github.com/jcorporation/myMPD/issues/131#issuecomment-504040869

What version of firefox do you use? I use 67.0.3 on linux with no CSP errors in the console.

CultofRobots commented 5 years ago

67.0.3 (64-bit) on linux

jcorporation commented 5 years ago

Hm, exact the same version. Eventually a connection issue. Do you use ssl or not?

CultofRobots commented 5 years ago

CSP issue is on my end on this machine. It's not occurring on another machine. This can be closed as it's user error on my part. Thanks. (glyph works fine now too.)

EDIT: It was a stray userscript throwing out the error which isn't even running on my intranet sites. Don't I feel dumb.

EDIT2: Actually it's tampermonkey addon itself and not even a running script.