tobean Posted November 6, 2020 Report Posted November 6, 2020 Hi, I have installed Revive in a subdirectory of my domain and it runs without problems since years. Now I installed some Content Security Policy rules in the .htaccess file for more security. After doing that the maximum number of the impressions of a campaign is 10. Higher numbers cannot be stored and will be corrected to 10. The priority level is also 10. If I reduce the priority level to a lower number, e.g. 1 the campaign can have only 1 impression. If I disable the Content Security Policy rule a campaign can have any number of impressions I put in. Has anyone an idea which additional CSP rules I need? Here is the relevant part of my rule: Header set Content-Security-Policy "default-src 'self' ; style-src 'self' 'unsafe-inline' ; script-src 'self' 'unsafe-inline' ; img-src 'self'' ;" Thanks for all ideas tobean Quote
tobean Posted November 8, 2020 Author Report Posted November 8, 2020 Hi, here a some more detailed information from the browser console (Filefox). Page: adserver/www/admin/campaign-edit.php Error messages: Content Security Policy: The page settings have blocked the loading of a resource on eval ("script-src"). min.php:409:23 Content Security Policy: The page settings have blocked the loading of a resource on eval ("script-src"). xajax.js:91:142 Uncaught EvalError: call to eval() blocked by CSP (about 20 more messages independant from content security policy declarations) I hope this information will help to fix the problem. toeban Quote
egranty Posted December 21, 2020 Report Posted December 21, 2020 The message: "Content Security Policy: The page settings have blocked the loading of a resource on eval ("script-src"). xajax.js" means that scripts xajax.js and min.php use eval-expressions. Some locks of eval expressions could be fixed if you have control over scripts. But following message: "Uncaught EvalError: call to eval() blocked by CSP" leave no chances - the call of eval() function require to use 'unsafe-eval' token in the script-src directive. Therefore you need at least to have: script-src 'self' 'unsafe-inline' 'unsafe-eval'; in the policy Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.