1

I have an application that is written using Tomcat and AngularJS (v1.2.14). In web.xml I set the ContentSecurityFilter on /* and then in configuration set the policy rules to allow same origin, allow eval and allow unsafe inline.

I have mapped https://mysite.com/my/app/url to index.jsp that eventually does the following:

<div id="ng-app" ng-app="myApp" ng-csp>
  <div ng-include="'/my/app/url/static/pages/partials/wizard.html'" class="container-fluid"></div>
</div>

wizard.html is where the true application stuff are happening. I have there bunch of AngularJS directives and etc.

This setup does work in IE and FF, but does not work in CH. When I try to access my/app/url in Chrome wizard.html is not displayed. the rest of index.jsp is displayed ok. Going to dev tools I see that I get this error for wizard.html:

Failed to load resource: the server responded with a status of 401 (Unauthorized)

There are no error in server logs. If I disable CSP filter mapping in web.xml Chrome starts to work just fine. But I have to have CSP filter for security reasons.

Does anyone know how to fix this? Any help is appreciated!

Pinny
  • 206
  • 2
  • 10
  • Further "playing around" with my code reveals that the ng-include is the culprit here. Replacing content of wizard.html with "Hello World" does not help, thus the content of it is not the cause the error. So the next thing I did was removing
    – Pinny Mar 26 '14 at 22:35
  • Adding connect-src 'self' 'unsafe-eval' 'unsafe-inline' to CSP that Tomcat sets does not help. – Pinny Mar 26 '14 at 23:12
  • What does the Chrome dev console say? – kravietz Mar 27 '14 at 07:14
  • It says: Failed to load resource: the server responded with a status of 401 (Unauthorized) https : //mydesktop:3081/my/app/url/static/pages/partials/wizard.html – Pinny Mar 27 '14 at 16:57
  • 1
    ^ that error is not from csp. – oreoshake Mar 27 '14 at 23:31
  • At the time when I filed this question I was under impression that it was, because disabling commenting out CSP filter in Tomcat's web.xml would make this error go away. But yes, the root cuase ended up to be a 401 error handling filter. – Pinny Mar 29 '14 at 01:58

1 Answers1

0

The solution came unexpectedly. It was a "perfect storm" of things.

I has a filter setup in web.xml to deal with 401 that was excluding things like css|js|... but not html files. So that was returning 401 error for my html file. CSP did not like what it got from server and blocked the load of wizard.html file.

So usually CSP is specific about what happened and for what reason (like "such and such file was blocked because it violates such ans such content security policy), but this was only partially coming from CSP so it just returned the error it got itself, which was 401; thus creating this confusing situation.

By adding html to the list of excluding files - I solved the problem.

Pinny
  • 206
  • 2
  • 10