[jbosstools-issues] [JBoss JIRA] (JBIDE-20771) Livereload not working with projects hosted on local Server with Content Security Policy (CSP) enabled
Ilya Buziuk (JIRA)
issues at jboss.org
Wed Sep 23 08:11:00 EDT 2015
[ https://issues.jboss.org/browse/JBIDE-20771?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ilya Buziuk updated JBIDE-20771:
--------------------------------
Description:
This problem might be treated as an edge case from the first glance, but actually it might have a sufficient impact on Livereload in the short run. *CSP* is sort of security policy which complements *CORS*. However, Content Security Policy and CORS are two separate things. CORS is the web service declaring which apps are authorized to call the service.
Content Security Policy is kind of the opposite: it's the app that declares which services can be called.
Basically, [Content Security Policy|http://www.html5rocks.com/en/tutorials/security/content-security-policy/] is supported by new versions on major browsers in order to prevent Cross-site scripting (XSS) attacks. However, this policy restricts the usage of LiveReload to the certain extend.
Steps to reproduce:
1) Create default *jboss-as-kitchensink-html5-mobile*
2) Add CSP meta tag
{code}
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.js">
{code}
^ allow to use jquery (other stuff is hosted locally)
3) In Preferences (General -> Web Browser) add newest version of chrome and set as default
4) Run the project on the Local Server (Tomcat)
5) In the Server View right-click on the hosted project -> Show In -> Web Browser via LiveReload
6) Edit and save index.html
7) ERROR: Livereload is broken - CSP has prevented *livereload.js* injection
was:
This problem might be treated as an edge case from the first glance, but actually it might have a sufficient impact on Livereload in the short run.
Basically, [Content Security Policy|http://www.html5rocks.com/en/tutorials/security/content-security-policy/] is supported by new versions on major browsers in order to prevent Cross-site scripting (XSS) attacks.
> Livereload not working with projects hosted on local Server with Content Security Policy (CSP) enabled
> ------------------------------------------------------------------------------------------------------
>
> Key: JBIDE-20771
> URL: https://issues.jboss.org/browse/JBIDE-20771
> Project: Tools (JBoss Tools)
> Issue Type: Bug
> Components: livereload
> Affects Versions: 4.3.0.CR1
> Reporter: Ilya Buziuk
> Assignee: Ilya Buziuk
> Fix For: 4.3.1.Final
>
>
> This problem might be treated as an edge case from the first glance, but actually it might have a sufficient impact on Livereload in the short run. *CSP* is sort of security policy which complements *CORS*. However, Content Security Policy and CORS are two separate things. CORS is the web service declaring which apps are authorized to call the service.
> Content Security Policy is kind of the opposite: it's the app that declares which services can be called.
> Basically, [Content Security Policy|http://www.html5rocks.com/en/tutorials/security/content-security-policy/] is supported by new versions on major browsers in order to prevent Cross-site scripting (XSS) attacks. However, this policy restricts the usage of LiveReload to the certain extend.
> Steps to reproduce:
> 1) Create default *jboss-as-kitchensink-html5-mobile*
> 2) Add CSP meta tag
> {code}
> <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.js">
> {code}
> ^ allow to use jquery (other stuff is hosted locally)
> 3) In Preferences (General -> Web Browser) add newest version of chrome and set as default
> 4) Run the project on the Local Server (Tomcat)
> 5) In the Server View right-click on the hosted project -> Show In -> Web Browser via LiveReload
> 6) Edit and save index.html
> 7) ERROR: Livereload is broken - CSP has prevented *livereload.js* injection
>
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jbosstools-issues
mailing list