Trouble with Content Security Policy (CSP)

In the latest Firefox 33 there seem to be an issue with Content Security Policy (CSP) and how it handles url that are url encoded.
For instance when some CSP directive is set to like https://mywebsite.com/application/do;jsessiond=1234 - it will get URL encoded so the ; gets replaced by %3B.
In Firefox 32 and earlier this worked, but not in this new solution.

It may be that it needs a header application/x-www-form-urlencoded is this included in your url request as well as charset UTF-8?
If you select a different encoding via web dev [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI]
This sounds like what it did before? [http://www.justarrangingbits.org/firefox-magic-decoding-address-bar/index.html]

Similar Messages

  • Content security policy not being respected

    The following (seemingly valid) Content Security Policy does not work in Safari:
    script-src 'unsafe-eval' 'self' by.uservoice.com widget.uservoice.com www.google.com use.typekit.net js.stripe.com  localhost:35739
    Errors occur for a number of requests to the permitted services, including e.g.:
    Refused to load the script 'https://js.stripe.com/v1/?_=1398952171104' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self' by.uservoice.com widget.uservoice.com www.google.com use.typekit.net js.stripe.com  localhost:35739".

    Thanks for your reply gdgmac.
    Is there no easier way to do this?
    I understand I could backup, reset, then restore, but I was hoping there was some easier way.
    Out of curiosity, is this as-per-design?
    Many thanks for your help again,
    Chris

  • I am having trouble with my security questions, I want to change them, so it says that it sent me an email to change it but it never shows up, so I can't buy anything now?

    I am having trouble with my security questions, I want to change them, so it says that it sent me an email to change it but it never shows up, so I can't buy anything now?

    This issue was resolved! I didnt think about restoring my computer to factory settings but I did and now my computer works like brand new. basically, just back up your files and do the following:
    http://www.youtube.com/watch?v=yPmT5Xbb8p0

  • Having trouble with the security questions for iTunes.  Tried to reset them, but the mail from Apple never comes . . .

    Having trouble with the security questions for iTunes.  Tried to reset them, but the mail from Apple never comes . . .

    You need to ask Apple to reset your security questions; ways of doing so include clicking here and picking a method for your country, and filling out and submitting this form.
    (96290)

  • Trouble with java security manager

    I have set up a security manager for my webapp running on Tomcat. The application enables the user to write his own scripts using Javascript, that's why I need to set up a security manager.
    Using Rhino as script interpreter, it is possible to use the standard java security mechanisms, e.g. using the security manager to handle the scripts' rights.
    I've added the following lines to my policy file:
    // give server all rights
    grant codeBase "file:webapp/WEB-INF/-" {
         permission java.security.AllPermission;
    //rights granted to scripts
    grant codeBase "file:restrictedClient" {
         permission java.io.FilePermission "webapp/WEB-INF/lib/js.jar", "read";
    I've assigned the scripts to the "restrictedClient" code base. However, the script execution fails as the script does not have the permission to access or define classes of any package (even standard java packages like java.lang or java.math).
    In java.security, I have found the following comment:
    # List of comma-separated packages that start with or equal this string
    # will cause a security exception to be thrown when
    # passed to checkPackageDefinition unless the
    # corresponding RuntimePermission ("defineClassInPackage."+package) has
    # been granted.
    # by default, no packages are restricted for definition, and none of
    # the class loaders supplied with the JDK call checkPackageDefinition.
    #package.definition=
    I now wonder, why the checkPackageDefinition is checked though there's no entry for any package to be checked.
    Extending the policy file like
    grant codeBase "file:restrictedClient" {
         permission java.lang.RuntimePermission "accessClassInPackage.webapp/WEB-INF/classes/org/mozilla/javascript";
         permission java.io.FilePermission "webapp/WEB-INF/lib/js.jar", "read";
         permission java.lang.RuntimePermission "defineClassInPackage.java.io";
         permission java.lang.RuntimePermission "defineClassInPackage.java.util";
         permission java.lang.RuntimePermission "defineClassInPackage.java.net";
         permission java.lang.RuntimePermission "defineClassInPackage.java.sql";
         permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
         permission java.lang.RuntimePermission "defineClassInPackage.java.math";
         permission java.lang.RuntimePermission "de.methodpark.pkit.facade.impl";
    works, but an unpleasant feeling remains :-).
    Rhino creates an own classloader for script execution. Could that be the source of the strange behaviour?
    Any help would be appreciated!
    Regards,
    Matthias

    David,
    I was glad to see your post regarding WLS 9.2 and the troubles with enabling Java Security Manager.
    Were you able to learn any more on things like - why doesn't the admin console work when the security manager is enabled with the default policy file. Also, why is it so difficult to add permissions for your own applications and get them to actually work.
    I'd be curious to see if you were able to get it to work or if you have any insights or resources that can help with this as we are really struggling to get a restrictive policy file that works.
    Thanks,
    D

  • What is wrong with AS (Security policy)

    In my opinion there are several huge flaws in AS2.0.
    Currently the security policy (which is FUBAR) is causing me a lot
    of grief.
    I'm trying to do a simple login over https with the swf
    running from within a projector, but it seems totally impossible,
    despite all promises with cross-domain files and everything.
    Is there anybody around here that has successfully been able
    to login over https from another domain (not on a http page)?
    Any solution, the uglier the better will be greatly
    appreciated.

    On this page:
    http://livedocs.adobe.com/flash/mx2004/main_7_2/wwhelp/wwhimpl/common/html/wwhelp.htm?cont ext=Flash_MX_2004&file=00001097.html
    there is a short snippet:
    "If the SWF file you are downloading comes from a HTTPS
    server, but the SWF file loading it is on an HTTP server, you need
    to add the secure="false" attribute to the
    <allow-access-from> tag, as shown in the following code:
    <allow-access-from domain="www.foo.com" secure="false"
    />"
    This made me really happy, until I tested it out . As we a
    lot of things from MacroMedia documentation does not match provided
    functionality.
    Given that the documenatation was is correct the follwoing
    code should work.
    System.security.loadPolicyFile("
    http://somedomain.com/secure/crossdomain.xml");
    this.createEmptyMovieClip("tester_mc", 1);
    tester_mc.loadMovie("https://somedomain.com/secure/test.swf");
    Given that the corssdomain file looks like this:
    <cross-domain-policy>
    <allow-access-from domain="*" secure="false"/>
    </cross-domain-policy>
    I'm so puzzled I'm seriously considering jumping out of the
    window...

  • Trouble with Content Server connection

    I am having an issue with content server on Unix.  I'm finished with content server install and need to connect my ABAP system to it via CSADMIN. But when I first enter CSAdmin, I give it my host and port. What is the unix http script name for the default install???  Only the Windows name - ContentServer.dll - is populated? What is the web address to get to the content server?
    http://<host>:<port>/???????
    Do I need to do something with OAC0 and SICF first, before going to CSADMIN.  The guide does not mention anything?
    Thanks for your replies!
    Jeff

    Hi. I dont know obout CS on UNIX, on windows  CS uses port 1090 and HTTP script ContentServer/ContentServer.dll
    The web page is
    http://server:1090/ContentServer/ContentServer.dll?serverInfo.
    It's on Windows....
    Also read this Note 586895. -->
          New access paths and compatibility with Windows systems
                  The "/ContentServer/ContentServer. dll" and "/Cache/CSProxyCache.dll" paths have since been established as fixed default values for the Content Server/Cache Servers for Windows.
                  The module access in the Apache Web server is not restricted to actual paths for program files. Using <location> tags, you can determine any (sub)paths that are to be used to access a module. These tags are entered in the "httpd.conf" file within the relevant module configurations. You can also define the clients allowed to access this "location" within a <location> tag with an Allow/Deny clause.
                  To be able to continue using the Windows paths proposed in the SAP system, these Windows paths are installed as compatibility tags.
                  In addition to this, you can use the new, essentially shorter paths "/sapcs" and /sapcsc" to access the SAP Content Server and the SAP Cache Server.
                  The "Modifications to httpd. conf" attachment to the installation manual contains a list of all of the access paths delivered.
    Regards.. Award if helpful.
    Edited by: Sergo Beradze on Mar 11, 2008 4:37 PM

  • Trouble with my secure network

    Hello, just got my new Ipod touch today, it is the latest generation(32GB) and I'm having a **** of a time connecting to our houses secure wireless network.
    No matter how many times I input the password, I always get a denial, saying that it could not connect to the network ,now, I am using a D-link wireless router, and I have tried turning off the security all-together(which worked), but as soon as I turned it back on it kicked me from the network, and I couldnt log-in again.
    The damndest thing is that not one day ago, my brother got a ipod touch himself(it came as a free gift with a macbook pro purchased by my father), it is a 16GB from the previous generation of Ipod touches, but it works just fine with our secure Wi-fi, but mine wont for whatever reason.

    The only security I haven't tried yet is WEP, and thats just because it changes the password to something I don't know.
    I actually just got off the phone with a "product expert" who said that this is a widespread firmware issue and that they were working on making a downloadable fix.  Honestly I'm not sure if he is to be believed or not, but judging from all the posts I found using google, I certainly believe the bit about it being wide-spread issue.
    By the way LE, do you have the first generation of Ipod touch?  Just curious seeing as how my brother's similarly had no problems connecting.

  • This page has a content security policy that prevents it from being embedded in this way

    I keep getting this warning message on random pages, including AOL Mail, and Android Central Forums, after recent Firefox updates. I can't click this message off, and it locks the entire browser. Sometimes I can X out of it, and sometimes it opens many tabs and I have to force close it. I've using Chrome, out of frustration for the last few days and haven't had this pop up. I've used Firefox for many years and really enjoy it and hope I can continue. Any help and ideas would be appreciated.

    Do a malware check with several malware scanning programs on the Windows computer.
    Please scan with all programs because each program detects different malware.
    All these programs have free versions.
    Make sure that you update each program to get the latest version of their databases before doing a scan.
    *Malwarebytes' Anti-Malware:<br>http://www.malwarebytes.org/mbam.php
    *AdwCleaner:<br>http://www.bleepingcomputer.com/download/adwcleaner/<br>http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml
    *SuperAntispyware:<br>http://www.superantispyware.com/
    *Microsoft Safety Scanner:<br>http://www.microsoft.com/security/scanner/en-us/default.aspx
    *Windows Defender:<br>http://windows.microsoft.com/en-us/windows/using-defender
    *Spybot Search & Destroy:<br>http://www.safer-networking.org/en/index.html
    *Kasperky Free Security Scan:<br>http://www.kaspersky.com/security-scan
    You can also do a check for a rootkit infection with TDSSKiller.
    *Anti-rootkit utility TDSSKiller:<br>http://support.kaspersky.com/5350?el=88446
    See also:
    *"Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked
    *https://support.mozilla.org/kb/troubleshoot-firefox-issues-caused-malware
    Boot the computer in Windows Safe Mode with network support (press F8 on the boot screen) as a test.
    *http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

  • Having trouble with content-aware

    I am trying to use content-aware, but am having trouble finding out how to do it, even though I have watched the videos.
    When I outline the object that I want to remove and go to Edit>Content-aware, I can't find out how to finish the procedure.
    Also, I don't have the same little boxes on the tool bar on the top for that application.
    Can anyone help?
    Thanks.

    Hmmmm, tried that.  Clicked the marquee tool, outlined the shape that I wanted to remove, Clicked Edit>fill>Content-aware>ok and it worked a little magic, but then took half the image of the person alongside the portion that I wanted to fill and duplicated it.
    I tried using the eraser tool, highlighted the image, fill, but it has a greyed-out content-aware.  Can't do it that way.
    Drum roll please.................
    If you use the magic wand and fill the part you want to get rid of, click Edit>fill>content-aware.ok, it works.
    Thank you very much Michael.

  • Trouble with saving Security Update 2008-007

    Hi,
    When it search for soft updates, it always invites me to install Security Update 2008-007, but it can't be saved (it says impossible to save - network error : the file (-3001) can't be opened). Could you please help me with this issue ?
    Thanks very much in anticipation

    Try the stand alone Security Update 2008-007.
    -mj

  • Help with configuring security policy

    Hi guys,
    I've got two questions, in the same vein around SCEP and SCCM policies (2012 R2). After looking a bit within the console and some searching around, I don't see anything glaringly obvious to address the following questions, though its possible I've overlooked
    it.
    1) Is it possible to create a policy to prevent anyone NOT in the DomainAdmins group the ability to override a detected virus?
    2) Is there a way to initiate a shutdown if the SCEP service fails or is stopped at any time?
    Thanks in advance for any suggestions.
    --Gabe

    Hi,
    1. What is "override a detected virus"?
    2. You could take a look at System Center Orchestrator.
    http://technet.microsoft.com/en-us/library/hh206052.aspx
    Best Regards,
    Joyce
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Trouble with Privacy & Security

    Hello Mac-ers,
    I turned on the feature to need to enter password after screen saver starts.  I didn't like it so I turned it off....so I thought.  The 'Require password...' box is unchecked but after an hour or so, when I return to my computer, the screen saver (dropping photos which are accessing them on an external drive) is frozen and when I move my mouse, the mouse cursor kind of 'erases' the frozen screen saver (in a block-y pattern) revealing the login grey screen underneath and requires me to log in.
    Any ideas what's going on here?
    Thanks,
    Tom

    Is there a way to 'reset' those preferences? Is there a pref file I can trash and then restart?

  • Cisco NAC web agent Network Security Policy

    I have a computer with an installed McAfee Antivirus that us up to date. However, each time try to access one of my client's server via VPN, I successfully connect to VPN using Cisco Anyconnnect but whenever I try to download the web agent and the device security check is being run, I get the feedback "Host is not compliant with network security policy". It also tells me a Remediation description of "please update your antivirus". (see attached screenshot)
    Please note that I already have my McAfee antivirus updated and I have done everything to keep my computer in good shape in terms of security.
    What is the possible cause for this?

    That means the CAM hasn't received an SNMP trap for that MAC address.  Double-check that the WLC is set up to send traps to the CAM: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cam/m_woob.html#wp1290626
    You can see if the CAM's received a trap for a specific MAC by looking under OOB Management > Devices > Discovered Clients.

  • Invoke a business service base in a WSDL with customer WS-Security Policy

    Customer write a Web service (Refer to the attachment file “HTTPS_PartyServicePortType.WSDL”)which declare a WS-Security Policy and apply this it to WS binding ,How can I generate a business service base in this WSDL and invoke it successfully?
    When create a business service in OSB, we get a error with below messages
    [[OSB Kernel:398133]The service is based on WSDL with Web Services Security Policies that are not natively supported by Oracle Service Bus. Please select OWSM Policies - From OWSM Policy Store option and attach equivalent OWSM security policy. For the Business Service, either you can add the necessary client policies manually by clicking Add button or you can let Oracle Service Bus automatically pick and add compatible client policies by clicking Add Compatible button.
    After enhanced the OSB domain with OWSM extension, we found the OOTB OWSM defined cannot support the HttpsToken and OSB cannot support below WS-Policy defined in OWSM, refer to http://docs.oracle.com/cd/E21764_01/doc.1111/e15866/owsm.htm#OSBDV1681
    51.2.8.1 Unsupported Assertion
    •     binding-permission-authorization
    •     http-security
    •     OptimizedMimeSerialization (MTOM)
    •     RMAssertion (Reliable Messaging)
    •     sca-component-authorization
    •     sca-component-permission-authorization
    •     UsingAddressing
    •     wss-saml-token-bearer-over-ssl (Authentication)
    it means that we cannot generate a web service with customer WS-security Policy
    The WS-Security Policy is shown as below:
    <wsp:Policy wsu:Id="WSHttpBinding_IPartyServicePortType_policy">
    <wsp:ExactlyOne>
    <wsp:All>
    <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
    <wsp:Policy>
    <sp:TransportToken>
    <wsp:Policy>
    <sp:HttpsToken RequireClientCertificate="false"/>
    </wsp:Policy>
    </sp:TransportToken>
    <sp:AlgorithmSuite>
    <wsp:Policy><sp:Basic256/></wsp:Policy>
    </sp:AlgorithmSuite>
    <sp:Layout><wsp:Policy><sp:Strict/></wsp:Policy></sp:Layout>
    </wsp:Policy>
    </sp:TransportBinding>
    <wsaw:UsingAddressing/>
    </wsp:All>
    </wsp:ExactlyOne>
    </wsp:Policy>
    BestRegards!
    Simon

    Hi
    According to
    http://e-docs.bea.com/wls/docs90/webserv/annotations.html#1050414
    If you are going to publish the policy file in the Web Service archive, the policy XML file must be located in either the META-INF/policies or WEB-INF/policies directory of the EJB JAR file (for EJB implemented Web Services) or WAR file (for Java class implemented Web Services), respectively.
    Can you make sure the policy file is in there?
    Also there is a sample from the developer at http://dev2dev.bea.com/blog/jlee/archive/2005/09/how_to_use_anno.html
    Vimala-

Maybe you are looking for

  • I need to set up Firefox on my IPad 2 to be able to use my MLS system. How do I do this?

    I need to set up Firefox on my IPad 2 to be able to use my MLS system. How do I do this?

  • Mac then PC Conflict?

    I've been using my itouch on a pc for "years" now its the original touch model and its got the latest firmware... Today i went to school and i plugged my itouch into a mac to charge it... when i unplugged it i think i forgot to "eject" it. Now, when

  • Can TMS warn of objects on released-but-not-imported requests?

    I'm sure this is a common problem: Developer A makes a change to an ABAP program, releases his transport, and imports it to the QA system. Developer B makes a subsequent change to the same program (unaware of Developer A's changes), realeases his tra

  • Creative use of CC calibraton in the DNG Profile Editor

    The DNG Profile Editor can be used to create profiles that mimic film looks. I think right now it is manual trial & error process involving changes in hue, saturation and lightness, but it could be theoretically achieved with Color Checker calibratio

  • Lost photos while editing in iphoto

    I was editing an album on iPhoto (while not connected to Internet, dont know if that matters) when iphoto crashed. When I reopened iphoto only the first (of many imports) import's photos were showing. I don't really want to reedit all those lost phot