Uploaded image for project: 'Tools (JBoss Tools)'
  1. Tools (JBoss Tools)
  2. JBIDE-20771

Livereload not working with projects hosted on local Server with Content Security Policy (CSP) enabled

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • 4.29.x
    • 4.3.0.CR1
    • livereload
    • None
    • Workaround Exists
    • Hide

      There are two workarounds:
      1) remove meta tag with CSP rules
      2) add localhost:* to allowed addresses

      Show
      There are two workarounds: 1) remove meta tag with CSP rules 2) add localhost: * to allowed addresses

    Description

      This problem might be treated as an edge case from the first glance, but actually it might have a sufficient impact on Livereload in the short run. CSP is sort of security policy which complements CORS. However, Content Security Policy and CORS are two separate things. CORS is the web service declaring which apps are authorized to call the service.
      Content Security Policy is kind of the opposite: it's the app that declares which services can be called.
      Basically, Content Security Policy is supported by new versions on major browsers in order to prevent Cross-site scripting (XSS) attacks. However, this policy restricts the usage of LiveReload to the certain extend.

      Steps to reproduce:
      1) Create default jboss-as-kitchensink-html5-mobile
      2) Add CSP meta tag

      <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.js">
      

      ^ allow to use jquery (other stuff is hosted locally)
      3) In Preferences (General -> Web Browser) add newest version of chrome and set as default
      4) Run the project on the Local Server (Tomcat)
      5) In the Server View right-click on the hosted project -> Show In -> Web Browser via LiveReload
      6) Edit and save index.html
      7) ERROR: Livereload is broken - CSP has prevented livereload.js injection

      N.B. LiveReload will work with the file protocol (right click on index.html -> Open With -> Web Browser with LiveReload) even with CSP enabled, cause in this case livereload.js is hosted on the same port (35729 by default) as the whole project

      Attachments

        Issue Links

          Activity

            People

              ibuziuk@redhat.com Ilya Buziuk
              ibuziuk@redhat.com Ilya Buziuk
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: