tobean Posted November 6, 2020 Report Share Posted November 6, 2020 Hi, I have installed Revive in a subdirectory of my domain and it runs without problems since years. Now I installed some Content Security Policy rules in the .htaccess file for more security. After doing that the maximum number of the impressions of a campaign is 10. Higher numbers cannot be stored and will be corrected to 10. The priority level is also 10. If I reduce the priority level to a lower number, e.g. 1 the campaign can have only 1 impression. If I disable the Content Security Policy rule a campaign can have any number of impressions I put in. Has anyone an idea which additional CSP rules I need? Here is the relevant part of my rule: Header set Content-Security-Policy "default-src 'self' ; style-src 'self' 'unsafe-inline' ; script-src 'self' 'unsafe-inline' ; img-src 'self'' ;" Thanks for all ideas tobean Quote Link to comment Share on other sites More sharing options...
tobean Posted November 8, 2020 Author Report Share Posted November 8, 2020 Hi, here a some more detailed information from the browser console (Filefox). Page: adserver/www/admin/campaign-edit.php Error messages: Content Security Policy: The page settings have blocked the loading of a resource on eval ("script-src"). min.php:409:23 Content Security Policy: The page settings have blocked the loading of a resource on eval ("script-src"). xajax.js:91:142 Uncaught EvalError: call to eval() blocked by CSP (about 20 more messages independant from content security policy declarations) I hope this information will help to fix the problem. toeban Quote Link to comment Share on other sites More sharing options...
egranty Posted December 21, 2020 Report Share Posted December 21, 2020 The message: "Content Security Policy: The page settings have blocked the loading of a resource on eval ("script-src"). xajax.js" means that scripts xajax.js and min.php use eval-expressions. Some locks of eval expressions could be fixed if you have control over scripts. But following message: "Uncaught EvalError: call to eval() blocked by CSP" leave no chances - the call of eval() function require to use 'unsafe-eval' token in the script-src directive. Therefore you need at least to have: script-src 'self' 'unsafe-inline' 'unsafe-eval'; in the policy Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.