Details
-
Bug
-
Resolution: Won't Do
-
Major
-
4.3.0.CR1
-
None
-
Workaround Exists
-
Description
This problem might be treated as an edge case from the first glance, but actually it might have a sufficient impact on Livereload in the short run. CSP is sort of security policy which complements CORS. However, Content Security Policy and CORS are two separate things. CORS is the web service declaring which apps are authorized to call the service.
Content Security Policy is kind of the opposite: it's the app that declares which services can be called.
Basically, Content Security Policy is supported by new versions on major browsers in order to prevent Cross-site scripting (XSS) attacks. However, this policy restricts the usage of LiveReload to the certain extend.
Steps to reproduce:
1) Create default jboss-as-kitchensink-html5-mobile
2) Add CSP meta tag
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.js">
^ allow to use jquery (other stuff is hosted locally)
3) In Preferences (General -> Web Browser) add newest version of chrome and set as default
4) Run the project on the Local Server (Tomcat)
5) In the Server View right-click on the hosted project -> Show In -> Web Browser via LiveReload
6) Edit and save index.html
7) ERROR: Livereload is broken - CSP has prevented livereload.js injection
N.B. LiveReload will work with the file protocol (right click on index.html -> Open With -> Web Browser with LiveReload) even with CSP enabled, cause in this case livereload.js is hosted on the same port (35729 by default) as the whole project
Attachments
Issue Links
- relates to
-
-
- Closed
-