X
Nhấn vào đây để đến phiên bản di động của trang web.

Diễn đàn trợ giúp

Content Security Policy: The page’s settings blocked the loading of a resource at blob

Được đăng

Issue Description : When we try to export to excel using a secured loadbalancer url we are not able to download the excel or pdf and we observe CSP error(Please refer screenshot). But if we use an unsecured URL, the download works fine. This issue happens only in firefox browser.

Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://rdapps.bbh.com/b163a3fb-5067-4dae-90d9-d7c134933f59 (“default-src”).

The CSP Policy set at the LB Webserver(External servers) is :

default-src * 'unsafe-eval' 'unsafe-inline'; font-src * data:; img-src * data:; object-src *

We tried to set the CSP policy at our own servers(WebSphere servers) but it did not override the CSP policy coming from outside server and did not resolve the issue.

The desired behavior is that the pdf/excel export should happen without any issue just like it happens in other browsers except firefox.

Issue Description : When we try to export to excel using a secured loadbalancer url we are not able to download the excel or pdf and we observe CSP error(Please refer screenshot). But if we use an unsecured URL, the download works fine. This issue happens only in firefox browser. Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://rdapps.bbh.com/b163a3fb-5067-4dae-90d9-d7c134933f59 (“default-src”). The CSP Policy set at the LB Webserver(External servers) is : default-src * 'unsafe-eval' 'unsafe-inline'; font-src * data:; img-src * data:; object-src * We tried to set the CSP policy at our own servers(WebSphere servers) but it did not override the CSP policy coming from outside server and did not resolve the issue. The desired behavior is that the pdf/excel export should happen without any issue just like it happens in other browsers except firefox.
Đính kèm ảnh chụp màn hình
Trích dẫn

Chi tiết hệ thống bổ sung

Phần bổ trợ đã cài đặt

  • Shockwave Flash 32.0 r0

Ứng dụng

  • Chuỗi đại diện người dùng: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0

Thông tin chi tiết

crankygoat
  • Top 25 Contributor
40 giải pháp 471 câu trả lời
Được đăng

Firefox tends to be more strict with certificates than other browsers. The cert chain is possibly broken somewhere, and Firefox will not go searching for intermediate certs to fix the problem itself, like some other browsers.

Firefox tends to be more strict with certificates than other browsers. The cert chain is possibly broken somewhere, and Firefox will not go searching for intermediate certs to fix the problem itself, like some other browsers.
Bài viết này có hữu ích với bạn không?
Trích dẫn

Người tạo câu hỏi

@crankygoat We have a load balancer web server where we have a SSL certificate installed. This load balancer web server routes the request to other 2 nodes and these nodes doesn't have the SSL certificate.

Do we need to install the same SSL cert on these nodes also?

@crankygoat We have a load balancer web server where we have a SSL certificate installed. This load balancer web server routes the request to other 2 nodes and these nodes doesn't have the SSL certificate. Do we need to install the same SSL cert on these nodes also?
Bài viết này có hữu ích với bạn không?
Trích dẫn
crankygoat
  • Top 25 Contributor
40 giải pháp 471 câu trả lời
Được đăng

As long as the full chain of certs is sent to Firefox, and the certs don't have issues which would affect your downloading, additional installation shouldn't be necessary. You can test domains, assuming they are publicly accessible, here (for example): https://www.ssllabs.com/ssltest/

I only mention the cert chain as you say the issue does not occur over HTTP.

Do the all the Firefox browsers have extensions which could cause the issue?

The CSP is pretty permissive, but doesn't specifically allow blob:, which isn't covered by * as far as i know. I have no idea if that even matters, i am not an expert here.

This could be a valid bug, but a bug report would need to be reproducible, but you are operating in a complex enterprise environment with possibly proprietary or bespoke web applications.

Hopefully someone else can assist you, or you can possibly file a bug report if that is feasible. Best wishes in getting this sorted out!

As long as the full chain of certs is sent to Firefox, and the certs don't have issues which would affect your downloading, additional installation shouldn't be necessary. You can test domains, assuming they are publicly accessible, here (for example): https://www.ssllabs.com/ssltest/ I only mention the cert chain as you say the issue does not occur over HTTP. Do the all the Firefox browsers have extensions which could cause the issue? The CSP is pretty permissive, but doesn't specifically allow blob:, which isn't covered by * as far as i know. I have no idea if that even matters, i am not an expert here. This could be a valid bug, but a bug report would need to be reproducible, but you are operating in a complex enterprise environment with possibly proprietary or bespoke web applications. Hopefully someone else can assist you, or you can possibly file a bug report if that is feasible. Best wishes in getting this sorted out!
Bài viết này có hữu ích với bạn không?
Trích dẫn
Đặt một câu hỏi

Bạn phải đăng nhập vào tài khoản của bạn để trả lời bài viết. Vui lòng bắt đầu một câu hỏi mới, nếu bạn chưa có tài khoản.