Can REST calls be initiated when the CSP is unable to be modified from the default-src: 'none'?

Sometimes, I wonder if this question is silly because it goes against the purpose of the Content Security Policy.

There's a webpage located at foo.baz.com that requires data from bar.baz.com to function locally. Below is the code snippet for the function responsible for fetching and storing the data in a cookie:

function() {
    let request = new XMLHttpRequest();

    request.open("GET", "https://bar.baz.com/endpoint");

    request.onload = () => {...store the results in a cookie...};

    request.send();
}

However, the foo.baz.com page enforces a CSP directive of default-src: 'none', and since the page is managed by another team, I am unable to modify it. (This function is executed within the browser console.)

The use of XMLHttpRequest, jQuery, and fetch methods all result in a CSP error:

Refused to connect to 'https://bar.baz.com/endpoint' as it violates the Content Security Policy directive: "default-src 'none'". It's worth noting that 'connect-src' was not explicitly defined, so 'default-src' is being used as a fallback.

Is there any way to make an API call from one subdomain of baz.com to another when the CSP directive cannot be altered from default-src: 'none'?

(Perhaps by dynamically configuring the connect-src directive, adding an access control header, or utilizing a library capable of making requests despite the CSP constraints?)

javascriptxsscontent-security-policy

Answer №1

In the discussions, it was noted that achieving this task is not feasible; there needs to be a redesign in place.

Our approach involved eliminating the call to bar.baz.com and creating a placeholder cookie that met the criteria for foo.baz.com to load. Subsequently, we directed all REST calls originating from foo.baz.com to a locally running proxy. This proxy would initiate the call to bar.baz.com upon startup, substitute the placeholder cookie with the value retrieved from baz.bar.com, and then relay these requests to the correct host. The specific proxy tool utilized by us was express-http-proxy, although there are several similar alternatives available.

We also explored another potential solution which involved developing a script starting on bar.baz.com to make the necessary call, store the outcomes as either a cookie or local variable, and utilize window.assign to navigate to foo.baz.com. If anyone manages to successfully implement this method, I would greatly appreciate hearing about it.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Using the Croppie plugin to crop an image before uploading via jQuery Ajax in PHP

I've successfully implemented a code snippet that allows image cropping using PHP, jQuery, and Ajax with the Croppie plugin. Currently, I'm facing an issue while trying to include additional input values along with the image upload process. I ...

javascriptphpjquerycssajax

Gathering information from an HTML form and displaying it through JavaScript by utilizing Bootstrap's card component

I've been working on integrating form data from my index.html page into a card component using Bootstrap. I've successfully collected the data in the backend, but now I'm struggling to display it on the frontend as a card component. Any help ...

javascripthtmlcssformsobject

What sets apart the JavaScript console from simply right-clicking the browser and opting for the inspect option?

As I work on developing an angular application, one of my tasks involves viewing the scope in the console. To do this, I usually enter the code angular.element($0).scope(). This method works perfectly fine when I access the console by right-clicking on th ...

javascriptangularjsgoogle-chromegoogle-chrome-devtoolsdeveloper-console

What guidelines should be followed for utilizing jQuery's Ajax convenience methods and effectively managing errors?

Imagine a scenario where I am trying to mimic Gmail's interface using jQuery Ajax to incorporate periodic auto-saving and sending functionalities. Error handling is crucial, especially in cases of network errors or other issues. Instead of just being ...

javascriptjqueryajax

The React application is experiencing difficulties in receiving the response data (JSON) from the Express server, despite the fact that

When making POST or GET requests to our Express server, served through PM2 on EC2, Postman receives the complete response with JSON data. However, our front end React app (both locally and deployed via CF) only gets the response status code and message. Th ...

javascriptnode.jsreactjsexpressamazon-ec2

Generating variables dynamically within a React Native component

In my React Native component, I need to create a variable that will be used multiple times. Each instance of this component should have a different variable name for reference. <View ref={view => { shapeView = view; }} onLayout={({ nativeE ...

javascriptreact-native

The Angular filter received an undefined value as the second parameter

Currently, I am facing an issue while trying to set up a search feature with a custom filter. It appears that the second parameter being sent to the filter is coming through as undefined. The objects being searched in this scenario are books, each with a g ...

javascriptangularjsfilter

A step-by-step guide on including chess.js in your Create React App

I'm facing an issue while trying to incorporate the chess.js npm library into my Create React App. The error message "Chess is not a constructor" keeps popping up. Below is the code snippet I am using: import React from 'react'; import &apos ...

javascriptreactjsnpmcreate-react-app

Updating the $location variable from the $rootScope perspective

I am facing an issue with my web app which is built using AngularJS. I have two functions in my code - one declared on the $rootScope and the other on the $scope. The code snippets are shown below: app.js app.run(function ($rootScope, $location) { $roo ...

javascriptangularjs

Utilizing React to highlight buttons that share the same index value upon hover

I have some data in a JavaScript object from a JSON file, where certain entries have a spanid (number) while others do not. I've written React code to highlight buttons with a spanid on hover, but I'm looking for a way to highlight or change the ...

javascriptcssreactjs

The HTML element cannot be set within page.evaluate in Node.js Puppeteer

I've run into an issue while using node.js puppeteer, specifically with the page.evaluate method. I'm experiencing difficulties with this part of my code: console.log(response); //This line is valid as it prints a regular string awa ...

javascriptnode.jspuppeteer

Storing User IP Address in Database with Express and Mongoose

I'm looking for a way to store users' IP addresses in mongoDB by using a mongoose model file for the user. Does anyone have any suggestions on how I can achieve this? Here is an example of the schema for the Users module file: const userSchema ...

javascriptnode.jsreactjsexpressmongoose

Struggling with JavaScript's getElementById function

If anyone has any suggestions or alternative methods, please kindly assist me. I currently have: 1 Textbox 1 Label 1 LinkButton Upon clicking the lnk_NameEdit button, the txtUserName textbox should become visible while the lblusername label should becom ...

c#javascriptasp.netajax

Why does the header still show content-type as text/plain even after being set to application/json?

When using fetch() to send JSON data, my code looks like this: var data = { name: this.state.name, password: this.state.password } fetch('http://localhost:3001/register/paitent', { method: 'POST&a ...

javascriptjsonreactjshttpexpress

Linking query branches without encountering the "Exceeded the number of hooks rendered during the previous render" error

This apollo client utilizes a rest link to interact with 2 APIs. The first API returns the value and ID of a record, while the second API provides additional information about the same record. I combine this information to render the content without using ...

javascriptreactjsapolloreact-apollo

Discover the ins and outs of integrating YAML front matter into your destination directory path

I am looking to customize the path of my blog posts to include a fancy date format like /blog/2013/09/17 so that the links from my previous octopress blog remain intact. Within the YAML front matter on each markdown page, I have included the date informat ...

javascriptgruntjspermalinkstemplatingassemble

What is the best way to remove a particular element from an array stored in Local Storage?

Currently working on a web application that features a grade calculator allowing users to add and delete grades, all saved in local storage. However, encountering an issue where attempting to delete a specific grade ends up removing the most recently add ...

javascriptarraysvue.js

Caution: React is unable to identify the `PaperComponent` prop on a DOM element

Trying to create a draggable modal using Material UI's 'Modal' component. I want users to be able to move the modal around by dragging it, so I decided to use 'Draggable' from react-draggable library. However, I encountered this er ...

javascriptcssreactjsmaterial-uimodal-dialog

"I'm experiencing an issue in Laravel where the Ion range slider's color and dragger are

I'm currently implementing ion-rangeslider into my project. Here is the HTML code I've used: <div style="position: relative; padding: 200px;"> <div> <input type="text" id="range" value="" name= ...

javascriptjquerylaravelnpmion-range-slider

Retrieve every video on React.js channel from YouTube

Currently, I am working on integrating react-youtube into my React App with the goal of accessing all videos from a specific YouTube channel. The challenge I am facing is that I need to display these videos as thumbnails, exactly how they are listed in the ...

javascriptreactjsnpmyoutube-data-api