X
Tippen Sie hierhin, um die Version dieser Website für Mobilgeräte aufzurufen.

Hilfeforum

Content Security Policy: The page’s settings blocked the loading of a resource at blob

Veröffentlicht

Issue Description : When we try to export to excel using a secured loadbalancer url we are not able to download the excel or pdf and we observe CSP error(Please refer screenshot). But if we use an unsecured URL, the download works fine. This issue happens only in firefox browser.

Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://rdapps.bbh.com/b163a3fb-5067-4dae-90d9-d7c134933f59 (“default-src”).

The CSP Policy set at the LB Webserver(External servers) is :

default-src * 'unsafe-eval' 'unsafe-inline'; font-src * data:; img-src * data:; object-src *

We tried to set the CSP policy at our own servers(WebSphere servers) but it did not override the CSP policy coming from outside server and did not resolve the issue.

The desired behavior is that the pdf/excel export should happen without any issue just like it happens in other browsers except firefox.

Issue Description : When we try to export to excel using a secured loadbalancer url we are not able to download the excel or pdf and we observe CSP error(Please refer screenshot). But if we use an unsecured URL, the download works fine. This issue happens only in firefox browser. Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://rdapps.bbh.com/b163a3fb-5067-4dae-90d9-d7c134933f59 (“default-src”). The CSP Policy set at the LB Webserver(External servers) is : default-src * 'unsafe-eval' 'unsafe-inline'; font-src * data:; img-src * data:; object-src * We tried to set the CSP policy at our own servers(WebSphere servers) but it did not override the CSP policy coming from outside server and did not resolve the issue. The desired behavior is that the pdf/excel export should happen without any issue just like it happens in other browsers except firefox.
Angefügte Screenshots
Zitieren

Mehr Details zum System

Installierte Plugins

  • Shockwave Flash 32.0 r0

Anwendung

  • User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0

Weitere Informationen

crankygoat
  • Top 25 Contributor
31 Lösungen 347 Antworten
Veröffentlicht

Firefox tends to be more strict with certificates than other browsers. The cert chain is possibly broken somewhere, and Firefox will not go searching for intermediate certs to fix the problem itself, like some other browsers.

Firefox tends to be more strict with certificates than other browsers. The cert chain is possibly broken somewhere, and Firefox will not go searching for intermediate certs to fix the problem itself, like some other browsers.
Hat Ihnen das weitergeholfen?
Zitieren

Fragesteller

@crankygoat We have a load balancer web server where we have a SSL certificate installed. This load balancer web server routes the request to other 2 nodes and these nodes doesn't have the SSL certificate.

Do we need to install the same SSL cert on these nodes also?

@crankygoat We have a load balancer web server where we have a SSL certificate installed. This load balancer web server routes the request to other 2 nodes and these nodes doesn't have the SSL certificate. Do we need to install the same SSL cert on these nodes also?
Hat Ihnen das weitergeholfen?
Zitieren
crankygoat
  • Top 25 Contributor
31 Lösungen 347 Antworten
Veröffentlicht

As long as the full chain of certs is sent to Firefox, and the certs don't have issues which would affect your downloading, additional installation shouldn't be necessary. You can test domains, assuming they are publicly accessible, here (for example): https://www.ssllabs.com/ssltest/

I only mention the cert chain as you say the issue does not occur over HTTP.

Do the all the Firefox browsers have extensions which could cause the issue?

The CSP is pretty permissive, but doesn't specifically allow blob:, which isn't covered by * as far as i know. I have no idea if that even matters, i am not an expert here.

This could be a valid bug, but a bug report would need to be reproducible, but you are operating in a complex enterprise environment with possibly proprietary or bespoke web applications.

Hopefully someone else can assist you, or you can possibly file a bug report if that is feasible. Best wishes in getting this sorted out!

As long as the full chain of certs is sent to Firefox, and the certs don't have issues which would affect your downloading, additional installation shouldn't be necessary. You can test domains, assuming they are publicly accessible, here (for example): https://www.ssllabs.com/ssltest/ I only mention the cert chain as you say the issue does not occur over HTTP. Do the all the Firefox browsers have extensions which could cause the issue? The CSP is pretty permissive, but doesn't specifically allow blob:, which isn't covered by * as far as i know. I have no idea if that even matters, i am not an expert here. This could be a valid bug, but a bug report would need to be reproducible, but you are operating in a complex enterprise environment with possibly proprietary or bespoke web applications. Hopefully someone else can assist you, or you can possibly file a bug report if that is feasible. Best wishes in getting this sorted out!
Hat Ihnen das weitergeholfen?
Zitieren
Stellen Sie eine Frage

Sie müssen sich mit Ihrem Benutzerkonto anmelden, um auf Beiträge zu antworten. Bitte stellen Sie eine neue Frage, wenn Sie noch kein Benutzerkonto haben.