[JBoss JIRA] (JBIDE-20771) Livereload not working with projects hosted on local Server with Content Security Policy (CSP) enabled

Wednesday, 14 December 2016

     [
https://issues.jboss.org/browse/JBIDE-20771?page=com.atlassian.jira.plugi...
]

Jeff MAURY updated JBIDE-20771:
-------------------------------
    Fix Version/s: 4.5.0.AM1
                       (was: 4.4.x)

...
 Livereload not working with projects hosted on local Server with
Content Security Policy (CSP) enabled

------------------------------------------------------------------------------------------------------

                 Key: JBIDE-20771
                 URL: https://issues.jboss.org/browse/JBIDE-20771
             Project: Tools (JBoss Tools)
          Issue Type: Bug
          Components: livereload
    Affects Versions: 4.3.0.CR1
            Reporter: Ilya Buziuk
            Assignee: Ilya Buziuk
             Fix For: 4.5.0.AM1

         Attachments: csp.png

 This problem might be treated as an edge case from the first glance, but actually it
might have a sufficient impact on Livereload in the short run. *CSP* is sort of security
policy which complements *CORS*. However, Content Security Policy and CORS are two
separate things. CORS is the web service declaring which apps are authorized to call the
service.
 Content Security Policy is kind of the opposite: it's the app that declares which
services can be called.
 Basically, [Content Security
Policy|http://www.html5rocks.com/en/tutorials/security/content-security-p...] is
supported by new versions on major browsers in order to prevent Cross-site scripting (XSS)
attacks. However, this policy restricts the usage of LiveReload to the certain extend.
 Steps to reproduce:
 1) Create default *jboss-as-kitchensink-html5-mobile* 
 2) Add CSP meta tag
 {code}
 <meta http-equiv="Content-Security-Policy" content="default-src *;
style-src 'self' 'unsafe-inline'; script-src 'self'
'unsafe-inline' 'unsafe-eval'
ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.js">
 {code}
 ^ allow to use jquery (other stuff is hosted locally)
 3) In Preferences (General -> Web Browser) add newest version of chrome and set as
default
 4) Run the project on the Local Server (Tomcat)
 5) In the Server View right-click on the hosted project -> Show In -> Web Browser
via LiveReload 
 6) Edit and save index.html
 7) ERROR: Livereload is broken - CSP has prevented *livereload.js* injection
 !csp.png!
 N.B. LiveReload will work with the file protocol (right click on index.html -> *Open
With* -> *Web Browser with LiveReload*) even with CSP enabled, cause in this case
livereload.js is hosted on the same port (35729 by default) as the whole project  

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006