Generator-jhipster: Jhipster doesn't open file uploaded
Overview of the issue
I have a entity with a blob field generated by JHipster. In the entity form I can upload a file and the form is submited normally.
The problem occurs when I try to open the file in the view page or main page of the entity.
The Browser opens this tab
and prints the following message on the console
Refused to frame '' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
Motivation for or Use Case
Because it doens't show the file uploaded
Reproduce the error
After registered a entity object I can't open the file field uploaded in view page or main entity page
Related issues
No
Suggest a Fix
I commented this part in SecurityConfiguration.java and now it works
.contentSecurityPolicy("default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com data:")
.and()
.referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
.and()
.featurePolicy("geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; fullscreen 'self'; payment 'none'")
.and()
JHipster Version(s)
6.1.2
JHipster configuration
```
JHipster configuration, a .yo-rc.json file generated in the root folder
.yo-rc.json file
{
"generator-jhipster": {
"promptValues": {
"packageName": "br.com.renan",
"nativeLanguage": "pt-br"
},
"jhipsterVersion": "6.1.2",
"applicationType": "monolith",
"baseName": "RenanTest",
"packageName": "br.com.renan",
"packageFolder": "br/com/renan",
"serverPort": "8080",
"authenticationType": "jwt",
"cacheProvider": "ehcache",
"enableHibernateCache": false,
"websocket": false,
"databaseType": "sql",
"devDatabaseType": "h2Memory",
"prodDatabaseType": "postgresql",
"searchEngine": false,
"messageBroker": false,
"serviceDiscoveryType": "eureka",
"buildTool": "maven",
"enableSwaggerCodegen": false,
"jwtSecretKey": "bXktc2VjcmV0LXRva2VuLXRvLWNoYW7nZS1pai1wcm9kdWN0aW9uLWFuZC10by1rZWVwLWluLWEtc2VjdXJlLXBsYWNl",
"useSass": true,
"clientPackageManager": "npm",
"clientFramework": "angularX",
"clientTheme": "yeti",
"clientThemeVariant": "primary",
"testFrameworks": [],
"jhiPrefix": "jhi",
"entitySuffix": "",
"dtoSuffix": "DTO",
"otherModules": [],
"enableTranslation": true,
"nativeLanguage": "pt-br",
"languages": ["pt-br"]
}
}
Environment and Tools
java version "1.8.0_201"
Java(TM) SE Runtime Environment (build 1.8.0_201-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.201-b09, mixed mode)
git version 2.10.1.windows.1
node: v10.16.0
npm: 6.9
Browsers and Operating System
Windows Server 2012 R2
- [X] Checking this box is mandatory (this is just to show you read everything)
renanvm
All 9 comments
@renantins : This is intentionally done in order to improve security headers; I believe you could adjust your security headers to allow an exception to the frame that you are trying to add; for more information refer to the original issue; https://github.com/jhipster/generator-jhipster/issues/9549
Also you'd find some information here; https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot#5-use-a-content-security-policy-to-prevent-xss-attacks
SudharakaP
on 15 Aug 2019
@SudharakaP Here the point is that JHipster generates a CSP configuration that breaks a JHipster feature: BLOB entity fields. So I think that something should be done to make this feature to work out of the box as it was in the past. I fully agree with @atomfrede in https://github.com/jhipster/generator-jhipster/issues/9549#issuecomment-521717324
gmarziou
on 15 Aug 2019
@gmarziou : Ah, I misunderstood. Sorry about that. I can work on this if you guys like? I don't have a solution off the top of my head but could look into it. 馃槃
SudharakaP
on 16 Aug 2019
For reference you can have look at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
But while trying to reproduce I found that the current master seems to be broken when using a blob field as there are wrong imports in the angular files. I will open a ticket for that.
atomfrede
on 16 Aug 2019
@atomfrede : Thanks for the link. Recreated the issue on my end. Working on a fix 馃槃 .
SudharakaP
on 16 Aug 2019
adding data: to the default-src fixes it. Not sure if there is a better csp source to add that.
atomfrede
on 16 Aug 2019
@atomfrede : Yes, but I think better to add data: to the frame-src as it's more specific rather than the default-src ?
SudharakaP
on 16 Aug 2019
frame-src seems not to work (at least in firefox). Both frame-src and child-src are unknown to firefox as it seems.
EDIT: Sorry, seems I had a typo somewhere. frame-src seems to work too.
atomfrede
on 16 Aug 2019
@atomfrede : No worries; thanks for the help; just created a pull request for this. Feel free to let me know if you see any issues. 馃槃
SudharakaP
on 16 Aug 2019
Related issues
frantzynicolas
路
3Comments
Steven-Garcia
路
3Comments
DanielFran
路
3Comments
ahmedeldeeb25
路
3Comments
lsadehaan
路
3Comments
Most helpful comment
@SudharakaP Here the point is that JHipster generates a CSP configuration that breaks a JHipster feature: BLOB entity fields. So I think that something should be done to make this feature to work out of the box as it was in the past. I fully agree with @atomfrede in https://github.com/jhipster/generator-jhipster/issues/9549#issuecomment-521717324