skip to Main Content

I run a Laravel application not developed by me, as I’m not a developer.
This Laravel app show a user page interface where I need put a custom script live chat code.

I found where is the relative blade page where I need put that code and the patch is on
app/Modules/KnowledgeBase/Resources/view/layouts/page.blade.php

  1. app is the folder where the app is installed, inside all core files.
  2. All requests inside this app folder are redirected to the public folder by an htaccess file, the public folder is inside the app folder so app/public/
  3. In the public folder there are a lot of files and folders. One of this folder is a symbolic link folder called modules, inside that folder there are all modules linked as symbolic links.
  4. I click on the symbolic links knowledgebase
  5. here I’m able to place a test HTML file with also the live chat script who works. This is just a test to see if I’m able to reach the location where I’m from the browser and to check the chat script works.
  6. In this folder only two folders are present. I need click on the button to load the parent directory and when I do I’m inside the following patch: app/Modules/KnowledgeBase/
  7. Now I open the resources , view, layouts folders and I reach the page.blade.php

My script inserted on this file never work.
I’m also unable to reach a test.html file located at app/Modules/KnowledgeBase/Resources/view/layouts/ this because all browser requests are redirected to the public folder so the browser will load a not found page.

If I put the script inside this page I get the error "The script loading a resource to inline was blocked by page settings (“script-src”)"

I’m asking where this directive is set and how to fix to have my script run in the page.blade.php

The only .htaccess file I see is placed in the app folder and his content is

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !/.well-known/?.*
    RewriteRule (.*) public/$1 [L]
</IfModule>

There is also an .htaccess file placed in the public directory with the following code:

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>

    RewriteEngine On

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

I don’t understand why I’m unable to see my script code loaded inside the page.blade.php

I expect to be able to run the script inside the blade.php page.
I searched on the web for a solution find some meta tag to add to the page but never resolve.

The script is correctly inserted in the page, the issue is locked by a directive that I don’t know where can be placed and how to change for allow my script.

In the app/config I found a php file that inside has:

  'csp_enabled'    => env('APP_CSP_ENABLED', true),
    'csp_script_src' => env('APP_CSP_SCRIPT_SRC', ''),

Maybe is this directive that is forbid my script?
How to resolve? Set to false resolve the issue but create maybe a XSS weakness. How I can allow my script leaving this option true?

2

Answers


  1. Chosen as BEST ANSWER

    The solution is consult the documentation of the app:

    https://github.com/freescout-helpdesk/freescout/wiki/Development-Guide#javascript-and-content-security-policy-csp

    Then after adding the script between the template:

    <script type="text/javascript" {!! Helper::cspNonceAttr() !!}>
    // Some JS code
    </script>
    

    Need to check the page with the developer console. If you see some script are blocked is because the script use external script so need whitelist the domain in the .env file as the guide say:

    APP_CSP_SCRIPT_SRC="example.org/js/script.js example.org/js/another-script.js"
    

    Clean the app cache and all should work


  2. There is a content security policy set on your site. Inspect the response headers to see the content of it (look for Content-Security-Policy in the returned headers). Adding a CSP in a meta tag just adds another policy and your content still needs to pass the existing policy.

    Now you need to modify the content of the policy or the way you load your script. If the policy allows ‘self’ and you can run your script from a .js file instead of as an inline script, that will solve your problem. If you need to run the script inline you will need to modify the policy for the script-src attribute (or script-src-elem if that is implemented). If your script doesn’t change you can add the hash value that some browsers will give you in the error message. If your script is dynamic you’ll need to add insert a dynamically computed hash or use a nonce. Avoid adding ‘unsafe-inline’ as it makes your CSP much less effective in preventing XSS.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search