X
Tap here to go to the mobile version of the site.

منتدى الدعم

Content Security Policy: The page’s settings blocked the loading of a resource at blob

Posted

Issue Description : When we try to export to excel using a secured loadbalancer url we are not able to download the excel or pdf and we observe CSP error(Please refer screenshot). But if we use an unsecured URL, the download works fine. This issue happens only in firefox browser.

Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://rdapps.bbh.com/b163a3fb-5067-4dae-90d9-d7c134933f59 (“default-src”).

The CSP Policy set at the LB Webserver(External servers) is :

default-src * 'unsafe-eval' 'unsafe-inline'; font-src * data:; img-src * data:; object-src *

We tried to set the CSP policy at our own servers(WebSphere servers) but it did not override the CSP policy coming from outside server and did not resolve the issue.

The desired behavior is that the pdf/excel export should happen without any issue just like it happens in other browsers except firefox.

Issue Description : When we try to export to excel using a secured loadbalancer url we are not able to download the excel or pdf and we observe CSP error(Please refer screenshot). But if we use an unsecured URL, the download works fine. This issue happens only in firefox browser. Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://rdapps.bbh.com/b163a3fb-5067-4dae-90d9-d7c134933f59 (“default-src”). The CSP Policy set at the LB Webserver(External servers) is : default-src * 'unsafe-eval' 'unsafe-inline'; font-src * data:; img-src * data:; object-src * We tried to set the CSP policy at our own servers(WebSphere servers) but it did not override the CSP policy coming from outside server and did not resolve the issue. The desired behavior is that the pdf/excel export should happen without any issue just like it happens in other browsers except firefox.
Attached screenshots
Quote

Additional System Details

Installed Plug-ins

  • Shockwave Flash 32.0 r0

Application

  • User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0

More Information

crankygoat
  • Top 25 Contributor
29 solutions 327 answers

Firefox tends to be more strict with certificates than other browsers. The cert chain is possibly broken somewhere, and Firefox will not go searching for intermediate certs to fix the problem itself, like some other browsers.

Firefox tends to be more strict with certificates than other browsers. The cert chain is possibly broken somewhere, and Firefox will not go searching for intermediate certs to fix the problem itself, like some other browsers.
Was this helpful to you?
Quote

Question owner

@crankygoat We have a load balancer web server where we have a SSL certificate installed. This load balancer web server routes the request to other 2 nodes and these nodes doesn't have the SSL certificate.

Do we need to install the same SSL cert on these nodes also?

@crankygoat We have a load balancer web server where we have a SSL certificate installed. This load balancer web server routes the request to other 2 nodes and these nodes doesn't have the SSL certificate. Do we need to install the same SSL cert on these nodes also?
Was this helpful to you?
Quote
crankygoat
  • Top 25 Contributor
29 solutions 327 answers

As long as the full chain of certs is sent to Firefox, and the certs don't have issues which would affect your downloading, additional installation shouldn't be necessary. You can test domains, assuming they are publicly accessible, here (for example): https://www.ssllabs.com/ssltest/

I only mention the cert chain as you say the issue does not occur over HTTP.

Do the all the Firefox browsers have extensions which could cause the issue?

The CSP is pretty permissive, but doesn't specifically allow blob:, which isn't covered by * as far as i know. I have no idea if that even matters, i am not an expert here.

This could be a valid bug, but a bug report would need to be reproducible, but you are operating in a complex enterprise environment with possibly proprietary or bespoke web applications.

Hopefully someone else can assist you, or you can possibly file a bug report if that is feasible. Best wishes in getting this sorted out!

As long as the full chain of certs is sent to Firefox, and the certs don't have issues which would affect your downloading, additional installation shouldn't be necessary. You can test domains, assuming they are publicly accessible, here (for example): https://www.ssllabs.com/ssltest/ I only mention the cert chain as you say the issue does not occur over HTTP. Do the all the Firefox browsers have extensions which could cause the issue? The CSP is pretty permissive, but doesn't specifically allow blob:, which isn't covered by * as far as i know. I have no idea if that even matters, i am not an expert here. This could be a valid bug, but a bug report would need to be reproducible, but you are operating in a complex enterprise environment with possibly proprietary or bespoke web applications. Hopefully someone else can assist you, or you can possibly file a bug report if that is feasible. Best wishes in getting this sorted out!
Was this helpful to you?
Quote
اطرح سؤالا

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.