Re: Content Security Policy - inline style

2018-06-15 Thread Lee Hinde via 4D_Tech 

> On Jun 15, 2018, at 12:18 PM, Jim Hays via 4D_Tech <4d_tech@lists.4d.com> 
> wrote:
> 
> We wrestled with getting our web security up to snuff without having any
> in-house expertise.
> I found this site useful for testing and offering up next steps and links
> on how to fix the problems.
> 
> https://observatory.mozilla.org/ 
> 
> We found answers to exactly your issues by following these steps.
> 
> - Jim

Nice resource; thanks.

**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: Content Security Policy - inline style

2018-06-15 Thread Jim Hays via 4D_Tech 
We wrestled with getting our web security up to snuff without having any
in-house expertise.
I found this site useful for testing and offering up next steps and links
on how to fix the problems.

https://observatory.mozilla.org/

We found answers to exactly your issues by following these steps.

- Jim




On Thu, Jun 14, 2018 at 6:15 PM Timothy Penner via 4D_Tech <
4d_tech@lists.4d.com> wrote:

> I think it's telling you that the page does not have a default-src self
> tag. Therefore Content-Security-Policy (CSP) is blocking the loading of
> inline styles
> https://content-security-policy.com/
>
> Quote: "The default-src is the default policy for loading content such as
> JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media. See the
> Source List Reference for possible values."
> https://content-security-policy.com/#source_list
>
> The comments on this stack overflow post suggest not using inline css at
> all because it is unsafe:
>
> https://stackoverflow.com/questions/17766817/refused-to-apply-inline-style-because-it-violates-the-following-content-security/18428346
>
> -Tim
>
>
>
> **
> 4D Internet Users Group (4D iNUG)
> FAQ:  http://lists.4d.com/faqnug.html
> Archive:  http://lists.4d.com/archives.html
> Options: https://lists.4d.com/mailman/options/4d_tech
> Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
> **
**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

RE: Content Security Policy - inline style

2018-06-14 Thread Timothy Penner via 4D_Tech 
I think it's telling you that the page does not have a default-src self tag. 
Therefore Content-Security-Policy (CSP) is blocking the loading of inline 
styles
https://content-security-policy.com/

Quote: "The default-src is the default policy for loading content such as 
JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media. See the 
Source List Reference for possible values."
https://content-security-policy.com/#source_list

The comments on this stack overflow post suggest not using inline css at all 
because it is unsafe:
https://stackoverflow.com/questions/17766817/refused-to-apply-inline-style-because-it-violates-the-following-content-security/18428346

-Tim



**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Content Security Policy - inline style

2018-06-14 Thread Randy Engle via 4D_Tech 
I have a particular customer that is able to come up with all kinds of security 
snafus on a regular basis.

The latest is causing our web app to be really foobar in Chrome, Firefox, Edge
IE seems to be OK

Anyone care to provide a 1/2 cup of enlightenment to this wondrous, mystical 
area.

The error messages in Developer Tools read something like this:

Refused to apply inline style because it violates the following Content 
Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' 
keyword, a hash ('sha256-Y9v1MZrln1N8aPBY5lmpxYKwFkcp/nyBMMEnn7WFjuw='), or a 
nonce ('nonce-...') is required to enable inline execution. Note also that 
'style-src' was not explicitly set, so 'default-src' is used as a fallback.

A given web page has many, many of these error messages.

Help!  Big points to anyone who can provide anything!

Many thanks

Randy Engle, Director
XC2 Software LLC – XC2LIVE!


**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**