Sunday, May 19, 2024
 Popular · Latest · Hot · Upcoming
133
rated 0 times [  137] [ 4]  / answers: 1 / hits: 22415  / 12 Years ago, fri, july 6, 2012, 12:00:00

I'm trying to use TinyMCE while using following Content-Security-Policy HTTP header:



X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-eval'; img-src *; media-src *; frame-src *; font-src *; style-src 'self' 'unsafe-inline'; report-uri /:reportcspviolation


I get following errors in Tools - JavaScript Console:



Refused to execute JavaScript URL because it violates the following Content Security Policy directive: script-src 'self' 'unsafe-eval'.
about:blank:1
Refused to execute inline event handler because it violates the following Content Security Policy directive: script-src 'self' 'unsafe-eval'.
test.xhtml:1
Refused to execute JavaScript URL because it violates the following Content Security Policy directive: script-src 'self' 'unsafe-eval'.
about:blank:1
Refused to execute inline event handler because it violates the following Content Security Policy directive: script-src 'self' 'unsafe-eval'.
test.xhtml:1


However, there's no executable JS code in the test.xhtml because it only uses external <script> to work with CSP header given. The reference to about:blank is also similarly invalid.



Any ideas how to figure out where the cause for the CSP violation is?



It seems that Chrome's internal JS debugger does not identify the source.



In addition, for some reason, Chrome shows CSP violation reports as Pending in Tools - Developer Tools - Network but inspecting the data-to-be-send does not give any additional info. Example:



{csp-report:{document-uri:about:blank,referrer:url-of/test.xhtml,violated-directive:script-src 'self' 'unsafe-eval',original-policy:default-src 'self'; script-src 'self' 'unsafe-eval'; img-src *; media-src *; frame-src *; font-src *; style-src 'self' 'unsafe-inline'; report-uri /:reportcspviolation}}


I'm able to figure out that the error messages are about using e.g. onclick attribute in some piece of HTML that TinyMCE loads on the fly but what file to look for? Another error is probably a piece of TinyMCE HTML where some href has value that starts with javascript: but that too is really hard to find without any pointers from the Chrome. The whole setup works with Firefox 13 (using corresponding CSP header).



Is there any way to make Chrome throw Exception for every CSP violation?


More From » security

 Answers
6

The cause of this specific issue was that TinyMCE created some hidden iframe elements for its implementation of the editor. And TinyMCE implementation then tries to run JS using e.g. inline onclick attribute in one of those iframe elements, which obviously fails due CSP rules.


In general, if a script generates a new frame (e.g. about:blank) and then tries to run some code within it, Google Chrome cannot provide anything meaningful in Console nor to CSP resport URL. All you get is about:blank:1.


This is because Google Chrome doesn't keep info about the source for the inline onclick attribute. Basically the browser would need information about what code did the document.write() that added the misbehaving onclick code! I guess doing that for every document.write() would be too expensive for runtime performance. I wish they would keep track of the code location that created that specific iframe because that might help tracking the source of the problem. In addition, Google Chrome is unable to point you to the correct iframe when TinyMCE has created multiple invisible iframe elements because the URL of every one of those was about:blank before additional content was added via document.write().


Nowadays you can add 'report-sample' to the Content-Security-Policy which may help tracking down the problem a bit. Sometimes you can identify the problematic code from the script sample you get in the report.


[#84424] Thursday, July 5, 2012, 12 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
samara

Total Points: 326
Total Questions: 106
Total Answers: 103

Location: Cook Islands
Member since Thu, May 21, 2020
4 Years ago
;