zoneminder icon indicating copy to clipboard operation
zoneminder copied to clipboard

Published 20 hours ago verified publisher icon ZoneMinder

inline violated CSP script-src

Open rmk92 opened this issue 3 years ago • 6 comments

Describe Your Environment

  • Version of ZoneMinder [release version, development version, or commit] 1.36.3 (Unable to use 1.36.5 due to bug #3271)

  • How you installed ZoneMinder [e.g. PPA, RPMFusion, from-source, etc] From github Source + Debian buster .dsc and debian tarball on zmrepo

  • Full name and version of OS Linux 5.13 aarch64 Debian Buster apache

  • Browser name and version (if this is an issue with the web interface) Frefox 91.0.2

Describe the bug CSP errors being logged

To Reproduce Steps to reproduce the behavior:

  1. Have console open with several monitors
  2. See error

Expected behavior CSP not violated

Debug Logs


08/26/21 11:26:58.560391 web_js[12174].ERR [xxyyzz] [inline%20violated%20CSP%20script-src] at moz-extension line 46
08/26/21 11:27:07.952926 web_js[5138].ERR [xxyyzz] [inline%20violated%20CSP%20script-src] at moz-extension line 46
08/26/21 11:27:22.323030 web_js[14216].ERR [xxyyzz] [inline%20violated%20CSP%20script-src] at moz-extension line 46

rmk92 avatar Aug 26 '21 10:08 rmk92

I believe this is not actually a zoneminder problem, but is caused by an extension. In my case the Plasma Integration causes it. Disabled all extensions and reload and I think you'll find that there isn't a CSP violation. Re-enable extensions one by one until you find out which one causes it.

connortechnology avatar Aug 26 '21 13:08 connortechnology

Okay, I now know which extension causes it, and it's one that I use heavily... so what are the options? The only way to stop zoneminder logging errors is to completely disable that extension, which isn't a workable solution for me.

Can zoneminder just not log moz-extension CSP errors, so that then I don't have to set the logging level to "fatal" to prevent excess noise in the ZM logs? I've hacked the ZM javascript to do this, so it is possible, so the question is more whether it's desirable?

Thanks.

rmk92 avatar Aug 28 '21 22:08 rmk92

I think that's what we need to do. Have a config option to turn off CSP reporting. Should be easy.

Out of curiosity, which extension causes it for you?

connortechnology avatar Aug 29 '21 00:08 connortechnology

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 16 '22 06:04 stale[bot]

I found two extensions that cause it for me

  • https://addons.mozilla.org/en-US/firefox/addon/darkreader/ (if i have darkmode enabled via the extension)
  • https://addons.mozilla.org/en-US/firefox/addon/plasma-integration/

ProjectPatatoe avatar Aug 25 '22 03:08 ProjectPatatoe

I'm seeing similar errors with Safari on Mac when Evernote browser Extension is in use (ZM v1.36.24):

8/28/22, 1:10:03 PM GMT+3 web_js 125661 ERR blob violated CSP worker-src safari-extension://D0C6F07F-96C9-49A9-BDB5-85170789FA65/commons.js 2 8/28/22, 1:10:03 PM GMT+3 web_js 115197 ERR Script error. ?view=log - 8/28/22, 1:10:01 PM GMT+3 web_js 115197 ERR blob violated CSP worker-src safari-extension://D0C6F07F-96C9-49A9-BDB5-85170789FA65/commons.js 2 8/28/22, 1:10:01 PM GMT+3 web_js 115197 ERR Script error. ?view=console -

bceylon avatar Aug 28 '22 10:08 bceylon