[jbosstools-issues] [JBoss JIRA] (JBIDE-20771) Livereload not working with projects hosted on local Server with Content Security Policy (CSP) enabled

Jeff MAURY (JIRA) issues at jboss.org
Wed Apr 18 12:13:14 EDT 2018 

     [ https://issues.jboss.org/browse/JBIDE-20771?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jeff MAURY updated JBIDE-20771:
-------------------------------
    Fix Version/s: 4.6.x
                       (was: 4.5.x)


> Livereload not working with projects hosted on local Server with Content Security Policy (CSP) enabled
> ------------------------------------------------------------------------------------------------------
>
>                 Key: JBIDE-20771
>                 URL: https://issues.jboss.org/browse/JBIDE-20771
>             Project: Tools (JBoss Tools)
>          Issue Type: Bug
>          Components: livereload
>    Affects Versions: 4.3.0.CR1
>            Reporter: Ilya Buziuk
>            Assignee: Ilya Buziuk
>             Fix For: 4.6.x
>
>         Attachments: csp.png
>
>
> This problem might be treated as an edge case from the first glance, but actually it might have a sufficient impact on Livereload in the short run. *CSP* is sort of security policy which complements *CORS*. However, Content Security Policy and CORS are two separate things. CORS is the web service declaring which apps are authorized to call the service.
> Content Security Policy is kind of the opposite: it's the app that declares which services can be called.
> Basically, [Content Security Policy|http://www.html5rocks.com/en/tutorials/security/content-security-policy/] is supported by new versions on major browsers in order to prevent Cross-site scripting (XSS) attacks. However, this policy restricts the usage of LiveReload to the certain extend.
> Steps to reproduce:
> 1) Create default *jboss-as-kitchensink-html5-mobile* 
> 2) Add CSP meta tag
> {code}
> <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.js">
> {code}
> ^ allow to use jquery (other stuff is hosted locally)
> 3) In Preferences (General -> Web Browser) add newest version of chrome and set as default
> 4) Run the project on the Local Server (Tomcat)
> 5) In the Server View right-click on the hosted project -> Show In -> Web Browser via LiveReload 
> 6) Edit and save index.html
> 7) ERROR: Livereload is broken - CSP has prevented *livereload.js* injection
> !csp.png!
> N.B. LiveReload will work with the file protocol (right click on index.html -> *Open With* -> *Web Browser with LiveReload*) even with CSP enabled, cause in this case livereload.js is hosted on the same port (35729 by default) as the whole project  
>  



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jbosstools-issues mailing list