Cancel
Showing results for 
Search instead for 
Did you mean: 

Content security policy error

Experimenter
Experimenter

I have deployed a mind app and i am facing the following error: 

Content Security Policy directive: "script-src 'self' 'unsafe-inline' static.eu1.mindsphere.io".

 

 

Mindsphere error.PNG

Any help is appreciated!!

6 REPLIES 6

Re: Content security policy error

Valued Contributor
Valued Contributor

You should either

- host the external sources on your own (so that they are loaded from static.mindsphere.io" or

- you should add the urls to the csp header in developer cockpit. For changing the csp header you have to unregister/change and register again.

Re: Content security policy error

Experimenter
Experimenter

Is this the right way to add urls explicitly:

 

Before adding my scripts and css : 

default-src 'self' static.eu1.mindsphere.io; style-src * 'unsafe-inline'; script-src 'self' 'unsafe-inline' static.eu1.mindsphere.io; img-src * data:;

 

After adding my scripts and css : 

default-src 'self' static.eu1.mindsphere.io; script-src-elem 'https://code.jquery.com/jquery-3.3.1.slim.min.js https://stackpath.bootstrapcdn.com/bootstrap/4.2.1/css/bootstrap.min.css https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.6/umd/popper.min.js https://stackpath.bootstrapcdn.com/bootstrap/4.2.1/js/bootstrap.min.js';  style-src * 'unsafe-inline'; img-src * data:;

Re: Content security policy error

Experimenter
Experimenter

I found the correct way of adding external urls:

We only need to add the domain names and not the entire url.(Make Note)

Step 1: First add in default-src. Add space after static.eu1.mindsphere.io and start adding domain names which are giving error.

 

Step2 : Then add in srcipt-src.  Add space after static.eu1.mindsphere.io and start adding domain names which are giving error.

 

default-src 'self' static.eu1.mindsphere.io code.jquery.com maxcdn.bootstrapcdn.com cdnjs.cloudflare.com stackpath.bootstrapcdn.com; style-src * 'unsafe-inline'; script-src 'self' 'unsafe-inline' static.eu1.mindsphere.io code.jquery.com maxcdn.bootstrapcdn.com cdnjs.cloudflare.com stackpath.bootstrapcdn.com; img-src * data:;

Re: Content security policy error

Valued Contributor
Valued Contributor

@ashmore great that I could help and you could modify you csp snippet correctly!

 

For other interested readers:

Here is also more general information:

https://developer.mindsphere.io/concepts/concept-csp.html

 

General hint: If your application is not loading correctly while development, have a look in the browsers console and check for 'csp'-errors like in the initial post.

 

Re: Content security policy error

Valued Contributor
Valued Contributor
@ashmore: small hint: you are adding bootstrap in two versions. I think you can reduce that to latest version. Furthermore you could work with * to make it more generic.

Other solution: I would recommend to download the files which you need and host it on your own. Then you also have no dependency to other external servers.

Re: Content security policy error

Experimenter
Experimenter

Yeah!! Thanks for pointing about 2 versions of bootstrap. I will definitely reduce to the latest one.

And also will try to download files and host instead of depending on url.

 

 

Thanks @gabe  for your help!!!