Xenforo - Edit post > More Option/Full page doesn't render correctly with error

Oct 4, 2014 #1

rdan Well-Known Member

: 5,390

: 1,353

: 113

: May 25, 2014

Ratings:: +2,123

Local Time:: 10:56 PM

: Mainline

: 10.2

Only happens on certain post, not all.
Maybe once every 50 post.

Pagespeed is disable on that URI also.
Might be the static.conf conflicting?
@eva2000

Oct 4, 2014 #2

rdan Well-Known Member

: 5,390

: 1,353

: 113

: May 25, 2014

Ratings:: +2,123

Local Time:: 10:56 PM

: Mainline

: 10.2

Just tested and not related to ngx_pagespeed or static.conf :/

Oct 5, 2014 #3

eva2000 Administrator Staff Member

: 49,870

: 11,483

: 113

: May 24, 2014

: Brisbane, Australia

Ratings:: +17,835

Local Time:: 12:56 AM

: Nginx 1.21.x

: MariaDB 10.x

tried in non-chrome browser.. it's the content security policy in Chrome browser that blocks the resource similar to what @computer19852007 experienced at vBulletin - Help CSS in Vbulletin | Centmin Mod Community

might need to ask on Xenforo to see why it's triggering content security policy blocks in Chrome

Oct 5, 2014 #4

eva2000 Administrator Staff Member

: 49,870

: 11,483

: 113

: May 24, 2014

: Brisbane, Australia

Ratings:: +17,835

Local Time:: 12:56 AM

: Nginx 1.21.x

: MariaDB 10.x

Also try disabling inline editing in Xenforo and see

Oct 5, 2014 #5

rdan Well-Known Member

: 5,390

: 1,353

: 113

: May 25, 2014

Ratings:: +2,123

Local Time:: 10:56 PM

: Mainline

: 10.2

Yes I already read about that.
But still don't know why it happens is some post only.
Maybe trigger with some keyword.

Oct 5, 2014 #6

rdan Well-Known Member

: 5,390

: 1,353

: 113

: May 25, 2014

Ratings:: +2,123

Local Time:: 10:56 PM

: Mainline

: 10.2

eva2000 said: ↑

Also try disabling inline editing in Xenforo and see
Click to expand...

Right Click, Open New Tab or Window will do

Oct 5, 2014 #7

eva2000 Administrator Staff Member

: 49,870

: 11,483

: 113

: May 24, 2014

: Brisbane, Australia

Ratings:: +17,835

Local Time:: 12:56 AM

: Nginx 1.21.x

: MariaDB 10.x

whatever works for you heh

RoldanLT said: ↑

Yes I already read about that.
But still don't know why it happens is some post only.
Maybe trigger with some keyword.
Click to expand...

yeah probably.. worth posting on xenforo and see what devs think

Content Security Policy (CSP) - Google Chrome

In order to mitigate a large class of potential cross-site scripting issues, Chrome's extension system has incorporated the general concept of Content Security Policy (CSP) . This introduces some fairly strict policies that will make extensions more secure by default, and provides you with the ability to create and enforce rules governing the types of content that can be loaded and executed by your extensions and applications.

In general, CSP works as a black/whitelisting mechanism for resources loaded or executed by your extensions. Defining a reasonable policy for your extension enables you to carefully consider the resources that your extension requires, and to ask the browser to ensure that those are the only resources your extension has access to. These policies provide security over and above the host permissions your extension requests; they're an additional layer of protection, not a replacement.
Click to expand...

Inline JavaScript will not be executed
Inline JavaScript will not be executed. This restriction bans both inline <script> blocks andinline event handlers (e.g. <button onclick="...">).

The first restriction wipes out a huge class of cross-site scripting attacks by making it impossible for you to accidentally execute script provided by a malicious third-party. It does, however, require you to write your code with a clean separation between content and behavior (which you should of course do anyway, right?). An example might make this clearer. You might try to write a Browser Action's popup as a single popup.html containing:
Click to expand...

Only local script and and object resources are loaded
Script and object resources can only be loaded from the extension's package, not from the web at large. This ensures that your extension only executes the code you've specifically approved, preventing an active network attacker from maliciously redirecting your request for a resource.

Instead of writing code that depends on jQuery (or any other library) loading from an external CDN, consider including the specific version of jQuery in your extension package. That is, instead of:
Click to expand...

Relaxing the default policy
Inline Script
There is no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes 'unsafe-inline' will have no effect.

Remote Script
If you have a need for some external JavaScript or object resources, you can relax the policy to a limited extent by whitelisting secure origins from which scripts should be accepted. We want to ensure that executable resources loaded with an extension's elevated permissions are exactly the resources you expect, and haven't been replaced by an active network attacker. Asman-in-the-middle attacks are both trivial and undetectable over HTTP, those origins will not be accepted.

Currently, we allow whitelisting origins with the following schemes: blob, filesystem, https,chrome-extension, and chrome-extension-resource. The host part of the origin must explicitly be specified for the https and chrome-extension schemes. Generic wildcards such as https:, https://* and https://*.com are not allowed; subdomain wildcards such ashttps://*.example.com are allowed.

To ease development, we're also allowing the whitelisting of resources loaded over HTTP from servers on your local machine. You may whitelist script and object sources on any port of either http://127.0.0.1 or http://localhost.

The restriction against resources loaded over HTTP applies only to those resources which are directly executed. You're still free, for example, to make XMLHTTPRequest connections to any origin you like; the default policy doesn't restrict connect-src or any of the other CSP directives in any way.

A relaxed policy definition which allows script resources to be loaded from example.com over HTTPS might look like:

"content_security_policy":"script-src 'self' https://example.com; object-src 'self'"
Note that both script-src and object-src are defined by the policy. Chrome will not accept a policy that doesn't limit each of these values to (at least) 'self'.

Making use of Google Analytics is the canonical example for this sort of policy definition. It's common enough that we've provided an Analytics boilerplate of sorts in the Event Tracking with Google Analytics sample extension, and a brief tutorial that goes into more detail.
Click to expand...

Last edited: Oct 5, 2014

Log in / Register

Forums

Join the community today

Xenforo Edit post > More Option/Full page doesn't render correctly with error

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Join the community today

Xenforo Edit post > More Option/Full page doesn't render correctly with error

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

.