Content Security Policy: The page’s settings blocked the loading of a resource at blob
Issue Description : When we try to export to excel using a secured loadbalancer url we are not able to download the excel or pdf and we observe CSP error(Please refer screenshot). But if we use an unsecured URL, the download works fine. This issue happens only in firefox browser.
Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://rdapps.bbh.com/b163a3fb-5067-4dae-90d9-d7c134933f59 (“default-src”).
The CSP Policy set at the LB Webserver(External servers) is :
default-src * 'unsafe-eval' 'unsafe-inline'; font-src * data:; img-src * data:; object-src *
We tried to set the CSP policy at our own servers(WebSphere servers) but it did not override the CSP policy coming from outside server and did not resolve the issue.
The desired behavior is that the pdf/excel export should happen without any issue just like it happens in other browsers except firefox.
Mehr Details zum System
- Shockwave Flash 32.0 r0
- User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0
Firefox tends to be more strict with certificates than other browsers. The cert chain is possibly broken somewhere, and Firefox will not go searching for intermediate certs to fix the problem itself, like some other browsers.
@crankygoat We have a load balancer web server where we have a SSL certificate installed. This load balancer web server routes the request to other 2 nodes and these nodes doesn't have the SSL certificate.
Do we need to install the same SSL cert on these nodes also?
As long as the full chain of certs is sent to Firefox, and the certs don't have issues which would affect your downloading, additional installation shouldn't be necessary. You can test domains, assuming they are publicly accessible, here (for example): https://www.ssllabs.com/ssltest/
I only mention the cert chain as you say the issue does not occur over HTTP.
Do the all the Firefox browsers have extensions which could cause the issue?
The CSP is pretty permissive, but doesn't specifically allow blob:, which isn't covered by * as far as i know. I have no idea if that even matters, i am not an expert here.
This could be a valid bug, but a bug report would need to be reproducible, but you are operating in a complex enterprise environment with possibly proprietary or bespoke web applications.
Hopefully someone else can assist you, or you can possibly file a bug report if that is feasible. Best wishes in getting this sorted out!