On 09/10/19 23:56, WaltS48 wrote:
On 10/9/19 4:03 PM, Frog wrote:
I am seeing the following message when I visit this site ---
http://castleinthesand.com/ocean-city-maryland-web-cam/
Quote
Blocked by Content Security Policy
This page has a content security policy that prevents it from being
loaded in this way.
The browser prevented this page from loading in this way because the
page has a content security policy that disallows it.
Unquote
Operating System - Windows 10 - 64 bit
Seamonkey Version - 2.49.5
I was able to see this information prior to installing SeaMonkey
2.49.5 and now is see this message. Why?
Frog
I see the site load and a message across the top, "You have requested a
page that is only partially encrypted and does not prevent
eavesdropping." with a Preferences button.
When I click the button the SeaMonkey Privacy & Security > Transport
Layer Security (SSL/TLS) preferences open.
Maybe you have a setting there that prevents the page from loading or an
antivirus program blocking the page.
As [email protected] reports, it works when you use https: for the
hotel web page.
There are two webcam iframes, one above the other, in the scrollable
part of the page behind the giant hotel navigation banner at the top.
The first, which produces the unhelpful CSP message, is a Flash video
and its frame page specifies:
Content-Security-Policy:"frame-ancestors oceancitylive.com
castleinthesand.com visitoceancity.com ocean-city.com exploreoc.com"
This is a valid CSP directive and means that the browser shouldn't load
the page in a frame unless the page in which it is being embedded comes
from one of the listed domains. According to the latest CSP
specification, a bare hostname in a frame-ancestors list inherits the
URL scheme of the origin, and https://castleinthesand.com doesn't match
http://castleinthesand.com. So SM blocks it and shows the reported
message instead, unless you use
<https://castleinthesand.com/ocean-city-maryland-web-cam/>. The hotel's
site admin could redirect http: requests to https: to fix this, or have
the webcam admin change its CSP configuration to include http://.
The second, which does work with the hotel page loaded using http:,
showing some blurry surf, specifies this:
Content-Security-Policy:"castleinthesand.com"
As this has no directive, the CSP is ignored and the frame is displayed.
So in this case it's a bug in the second webcam configuration, opening
it to the whole world, that allows just that one to display with the
http: hotel page. The webcam admin may wish to change its CSP
configuration to a valid one.
/df
--
London
UK
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
