Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Strict MIME type checking is enforced for module scripts per HTML #4178

Closed
gafain opened this issue Oct 3, 2024 · 1 comment
Closed

Strict MIME type checking is enforced for module scripts per HTML #4178

gafain opened this issue Oct 3, 2024 · 1 comment
Labels

Comments

@gafain
Copy link

gafain commented Oct 3, 2024

Expected behavior

Actual behavior

I Install openvas on ubuntu 24.04
Because this did not install the web interface I clone this git
I run the build without errors
I have installed the GSA.
The webserver respond with the index.html but did load the javascript and CSS

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-VA8O2hAdooB288EpSTrGLl7z3QikbWU9wwoebO/QaYk='), or a nonce ('nonce-...') is required to enable inline execution.

127.0.0.1/:12 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-+5XkZFazzJo8n0iOP4ti/cLCMUudTf//Mzkb7xNPXIc='), or a nonce ('nonce-...') is required to enable inline execution.

index-D8O4oQLF.js:1 Failed to load module script: Expected a JavaScript module script but the server responded with a MIME type of "text/html". Strict MIME type checking is enforced for module scripts per HTML spec.

On Firefox I have this message
Il caricamento del modulo da “https://127.0.0.1:9392/assets/index-D8O4oQLF.js” è stato bloccato a causa del tipo MIME non consentito (“text/html”).
Il foglio di stile https://127.0.0.1:9392/assets/index-DTH69syH.css non è stato caricato in quanto il suo tipo MIME, “text/html”, non corrisponde a “text/css”.
Content-Security-Policy: Le impostazioni della pagina hanno bloccato l’esecuzione di uno script in linea (script-src-elem) in quanto viola la seguente direttiva: “script-src 'self'”
Content-Security-Policy: Le impostazioni della pagina hanno bloccato l’esecuzione di uno script in linea (script-src-elem) in quanto viola la seguente direttiva: “script-src 'self'”
Il foglio di stile https://127.0.0.1:9392/assets/index-DTH69syH.css non è stato caricato in quanto il suo tipo MIME, “text/html”, non corrisponde a “text/css”.

Steps to reproduce

1.Install openvas on Ubuntu 24.04
2.Clone gsa repo
3.Build and install on folder created by installer

GVM versions

gsa: (gsad --version) 22.08.0~git

gvm: (gvmd --version) 23.1.0

openvas-scanner: (openvassd --version)

gvm-libs:

Environment

Operating system: Ubuntu 24.04

Installation method / source: (packages, source installation)

Logfiles

gsad main:MESSAGE:2024-10-03 11h32.21 utc:11937: Starting GSAD version 22.08.0git
gsad main:CRITICAL:2024-10-03 11h32.21 utc:11937: main: Could not load private SSL key from /var/lib/gvm/private/CA/serverkey.pem: Failed to open file “/var/lib/gvm/private/CA/serverkey.pem”: No such file or directory
gsad main:WARNING:2024-10-03 11h32.21 utc:11942: main: start_http_daemon redirect failed !
gsad main:MESSAGE:2024-10-03 11h33.51 utc:12598: Starting GSAD version 22.08.0
git
gsad main:CRITICAL:2024-10-03 11h33.51 utc:12598: main: Could not load private SSL key from /var/lib/gvm/private/CA/serverkey.pem: Failed to open file “/var/lib/gvm/private/CA/serverkey.pem”: No such file or directory
gsad main:WARNING:2024-10-03 11h33.51 utc:12600: main: start_http_daemon redirect failed !
gsad main:MESSAGE:2024-10-03 11h35.22 utc:12654: Starting GSAD version 22.08.0git
gsad main:CRITICAL:2024-10-03 11h35.22 utc:12654: main: Could not load private SSL key from /var/lib/gvm/private/CA/serverkey.pem: Failed to open file “/var/lib/gvm/private/CA/serverkey.pem”: No such file or directory
gsad main:WARNING:2024-10-03 11h35.22 utc:12656: main: start_http_daemon redirect failed !
gsad main:MESSAGE:2024-10-03 11h36.52 utc:12823: Starting GSAD version 22.08.0
git
gsad main:WARNING:2024-10-03 11h36.52 utc:12824: main: start_http_daemon redirect failed !
gsad main:MESSAGE:2024-10-03 12h35.15 utc:21879: Starting GSAD version 22.08.0git
gsad main:WARNING:2024-10-03 12h35.15 utc:21881: main: start_http_daemon redirect failed !
gsad main:MESSAGE:2024-10-03 12h35.36 utc:22087: Starting GSAD version 22.08.0
git
gsad main:WARNING:2024-10-03 12h35.36 utc:22089: main: start_http_daemon redirect failed !
gsad main:MESSAGE:2024-10-03 13h25.57 utc:33356: Starting GSAD version 22.08.0git
gsad main:WARNING:2024-10-03 13h25.57 utc:33358: main: start_http_daemon redirect failed !
gsad main:MESSAGE:2024-10-03 13h29.53 utc:2034: Starting GSAD version 22.08.0
git
gsad main:WARNING:2024-10-03 13h29.53 utc:2038: main: start_http_daemon redirect failed !
gsad main:MESSAGE:2024-10-03 13h33.26 utc:2025: Starting GSAD version 22.08.0git
gsad main:WARNING:2024-10-03 13h33.26 utc:2032: main: start_http_daemon redirect failed !
gsad main:MESSAGE:2024-10-03 13h46.21 utc:4595: Starting GSAD version 22.08.0
git

@gafain gafain added the bug label Oct 3, 2024
@cfi-gb
Copy link
Member

cfi-gb commented Oct 7, 2024

Most likely this could be closed directly as "invalid":

When mixing very outdated versions of components like (gsad --version) 22.08.0~git or (gvmd --version) 23.1.0 which both have been released one year ago with most recent versions of another component unexpected behaviors occur / are expected. Especially when mixing package based installation of components from a 3rdparty provider like Ubuntu with a manual installation of another component.

In this special case the outdated version shipped by that 3rdparty Ubuntu provider is not including e.g. greenbone/gsad/pull/171

See https://greenbone.github.io how to get more recent versions of all components and https://forum.greenbone.net/ for installation support.

@timopollmeier timopollmeier added invalid and removed bug labels Oct 23, 2024
@timopollmeier timopollmeier closed this as not planned Won't fix, can't repro, duplicate, stale Oct 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants