Can REST calls be initiated when the CSP is unable to be modified from the default-src: 'none'?

Sometimes, I wonder if this question is silly because it goes against the purpose of the Content Security Policy.

There's a webpage located at foo.baz.com that requires data from bar.baz.com to function locally. Below is the code snippet for the function responsible for fetching and storing the data in a cookie:

function() {
    let request = new XMLHttpRequest();

    request.open("GET", "https://bar.baz.com/endpoint");

    request.onload = () => {...store the results in a cookie...};

    request.send();
}

However, the foo.baz.com page enforces a CSP directive of default-src: 'none', and since the page is managed by another team, I am unable to modify it. (This function is executed within the browser console.)

The use of XMLHttpRequest, jQuery, and fetch methods all result in a CSP error:

Refused to connect to 'https://bar.baz.com/endpoint' as it violates the Content Security Policy directive: "default-src 'none'". It's worth noting that 'connect-src' was not explicitly defined, so 'default-src' is being used as a fallback.

Is there any way to make an API call from one subdomain of baz.com to another when the CSP directive cannot be altered from default-src: 'none'?

(Perhaps by dynamically configuring the connect-src directive, adding an access control header, or utilizing a library capable of making requests despite the CSP constraints?)

javascriptxsscontent-security-policy

Answer №1

In the discussions, it was noted that achieving this task is not feasible; there needs to be a redesign in place.

Our approach involved eliminating the call to bar.baz.com and creating a placeholder cookie that met the criteria for foo.baz.com to load. Subsequently, we directed all REST calls originating from foo.baz.com to a locally running proxy. This proxy would initiate the call to bar.baz.com upon startup, substitute the placeholder cookie with the value retrieved from baz.bar.com, and then relay these requests to the correct host. The specific proxy tool utilized by us was express-http-proxy, although there are several similar alternatives available.

We also explored another potential solution which involved developing a script starting on bar.baz.com to make the necessary call, store the outcomes as either a cookie or local variable, and utilize window.assign to navigate to foo.baz.com. If anyone manages to successfully implement this method, I would greatly appreciate hearing about it.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Comparison between JavaScript Promise .then(onFulfilled, onRejected) and .then(onFulfilled).catch(errorFunc) in handling asynchronous operations

As I was reviewing promises, I had a question about the order in which the .then/catch calls are executed when using the code below. Are the catch calls being placed at the end of the queue stack? I already have a clear understanding of the distinction bet ...

javascriptnode.jspromise

JavaScript slice() method displaying the wrong number of cards when clicked

In my code, I have a section called .registryShowcase. This section is designed to display logos and initially shows 8 of them. Upon clicking a button, it should load the next set of 8 logos until there are no more left to load (at which point the button ...

javascripthtmljquerycss

Transform jQuery code to its equivalent in vanilla JavaScript

While I am proficient in using jQuery, my knowledge of pure JavaScript is somewhat limited. Below is the jQuery code that I have been working with: $(document).ready(function() { $.get('http://jsonip.com/', function(r){ var ip_addre ...

javascriptjqueryajax

What is the alternative method in JavaScript for locating items instead of using indexOf?

I have a set of paths in an array. Some paths are classified as constants while others are labeled as dynamic. A constant path would be something like "/booking-success", whereas a dynamic path could be something like '/arrival/view/:job_or ...

javascriptjqueryreactjs

Verify if the array entries match

Within my select element, I populate options based on an array of values. For example: [{ name: 'A', type: 'a', }, { name: 'B', type: 'b', }, { name: 'B', type: 'b', }, { name: &apos ...

javascriptangulartypescript

Navigating through a multidimensional array in Angular 2 / TypeScript, moving both upwards and downwards

[ {id: 1, name: "test 1", children: [ {id: 2, name: "test 1-sub", children: []} ] }] Imagine a scenario where you have a JSON array structured like the example above, with each element potenti ...

javascriptjsontypescriptmultidimensional-arrayangular2-components

What is the best way to ensure webpacker compiled javascript only runs once the page has finished loading in a rails application

What is the best location to place window.onload for it to execute on every page within a Rails 6 application? ...

javascriptruby-on-railswebpack

Using a static function within a library's state function in NextJS is throwing an error: "not a function"

Inside a library, there's a special class known as MyClass. This class contains a static method named setData. The contents of the MyClass.js file are shown below: class MyClass { static DATA = ''; static setData(data) { MyClass ...

javascriptwebpacknext.js

Enhancing many-to-many relationships with additional fields in Objection.js

I have a question that I haven't been able to find a clear answer to in the objection.js documentation. In my scenario, I have two Models: export class Language extends BaseId { name: string; static tableName = 'Languages'; st ...

javascriptnode.jstypescriptknex.jsobjection.js

Techniques for simulating functions in Jest

I have a pair of basic components that I'm currently creating tests for using jest. My goal is to verify that when I click on a currencyItem, the corresponding array gets added to the select state. To achieve this, I am passing the handleCurrencyToggl ...

javascriptreactjstypescriptjestjsts-jest

perform validation middleware following completion of validation checks

Looking to establish an Express REST API, I aim to validate both the request parameters and body before invoking the controller logic. The validation middleware that I have put together is as follows: const { validationResult } = require('express-va ...

javascriptnode.jsexpress-validator

The world of coding comes alive with Quartz Composer JavaScript

Seeking assistance as I navigate through a challenging project. Any help would be greatly appreciated. Thanks in advance! I have a Quartz Composition where I aim to incorporate a Streetview from Google Maps and control the navigation, but I'm unsure ...

javascriptgoogle-maps-api-3quartz-composer

Creating a unique, random output while maintaining a log of previous results

While working on a recent project, I found myself in need of a custom Javascript function that could generate random numbers within a specified range without any repetitions until all possibilities were exhausted. Since such a function didn't already ...

javascriptjqueryrandom

Error in content policy for CSS in Stripe Checkout

I am currently attempting to integrate Stripe Checkout into my Ionic App. I have created a Directive that injects the form into my content view, however, upon execution, the CSS fails due to a content policy violation: checkout.js:2Refused to load the s ...

javascriptcssionic-frameworkstripe-payments

Restricting form choices for multi-level child inputs using JavaScript

In my current form, the structure is as follows: kingdom --> phylum --> class --> order --> family --> genus... If the kingdom = Animalia, then the options for phylum should be a specific list. Similarly, if the phylum is set to Chordata, ...

javascriptformsbootstrap-4

Working towards ensuring my website is responsive

Hello, I am a CSS beginner currently working as an intern. My task is to make a website's CSS compatible with Internet Explorer, and then make it responsive and scalable. Essentially, the design should retain its appearance when the window size change ...

javascripthtmlcss

Assign the default value of a Vue prop to the options of its parent component

I have a child component that needs to accept a value given in the component's parent's $options object as a possible default value. In the background, the component should be able to receive its data through a prop or from a configuration. Howe ...

javascriptvue.jsvuejs2

Loading images in advance with AJAX for enhanced AJAX performance

My website is structured in a sequential manner, where page1.html leads to page2.html and so on. I am looking to preload some images from the third page onto the second page. After searching, I came across this amazing code snippet: $.ajax({ url ...

javascriptjqueryhtmlcssajax

The unexpected disappearance of data in a d3 v4 map leaves users puzzled

My current task involves reading data from a csv file and creating a map where the key is the state abbreviation and the value is the frequency of that state in the data. The code I have successfully creates the map, reads in the data, and when I use cons ...

javascriptcsvdictionaryd3.js

Arranging the Bars in a Bar Chart Using Chart.JS

Lately, I've been playing around with ChartJS and encountering an issue with sorting the bars in descending order, from lowest to highest. Despite my efforts to troubleshoot, I haven't had any success in resolving it. ...

javascriptjquerychart.js