Jump to content

Recommended Posts

Posted

Hi,

I have installed Revive in a subdirectory of my domain and it runs without problems since years.

Now I installed some Content Security Policy rules in the .htaccess file for more security. After doing that the maximum number of the impressions of a campaign is 10. Higher numbers cannot be stored and will be corrected to 10. The priority level is also 10. If I reduce the priority level to a lower number, e.g. 1 the campaign can have only 1 impression.

If I disable the Content Security Policy rule a campaign can have any number of impressions I put in.

Has anyone an idea which additional CSP rules I need?

Here is the relevant part of my rule:

Header set Content-Security-Policy "default-src 'self' ; style-src 'self' 'unsafe-inline' ; script-src 'self' 'unsafe-inline' ; img-src 'self'' ;"

Thanks for all ideas

tobean

 

 

Posted

Hi,

here a some more detailed information from the browser console (Filefox).

 

Page: adserver/www/admin/campaign-edit.php

Error messages:

Content Security Policy: The page settings have blocked the loading of a resource on eval ("script-src"). min.php:409:23
Content Security Policy: The page settings have blocked the loading of a resource on eval ("script-src"). xajax.js:91:142

Uncaught EvalError: call to eval() blocked by CSP (about 20 more messages independant from content security policy declarations)

 

I hope this information will help to fix the problem.

toeban

 

  • 1 month later...
Posted

The message: "Content Security Policy: The page settings have blocked the loading of a resource on eval ("script-src"). xajax.js" means that scripts xajax.js and min.php use eval-expressions. Some locks of eval expressions could be fixed if you have control over scripts.

But following message: "Uncaught EvalError: call to eval() blocked by CSP" leave no chances - the call of eval() function require to use 'unsafe-eval' token in the script-src directive.

Therefore you need at least to have: script-src 'self' 'unsafe-inline'  'unsafe-eval'; in the policy

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...