Support

Admin Tools

#38967 My htaccess blocks an In5 animation with this type of message: [Error] Refused to load https://www.xxx.org/images/BIR_Publications/BIR_Annual_Report_2021_final/assets/js/in5.config.js because it does not appear in the script-src directive of the Content S

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
4.3.1
PHP version
8.0.28
Admin Tools version
7.3.2

Latest post by nicholas on Wednesday, 10 May 2023 12:44 CDT

Tuesday, 09 May 2023 09:31 CDT

grabit

Please look at the bottom of this page (under Support Policy Summary) for our support policy summary, containing important information regarding our working hours and our support policy. Thank you!

 

Hello,

I have a problem with a simple html file that loads a IN5 script in order to show an animation. When I replace the .htaccess created by AdminTools with the basic one of Joomla, everything works fine. So it is surely a misconfiguration of my setting but I don't know where.

 

The errors are:

[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. (BIR_Annual_Report_2021_final, line 1)

[Error] Refused to load https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js because it does not appear in the script-src directive of the Content Security Policy.

[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. (BIR_Annual_Report_2021_final, line 1)

[Error] Refused to load https://www.bir.org/images/BIR_Publications/BIR_Annual_Report_2021_final/assets/js/vmouse.min.js because it does not appear in the script-src directive of the Content Security Policy.

[Error] Refused to load https://www.bir.org/images/BIR_Publications/BIR_Annual_Report_2021_final/assets/js/jquery.anythingslider.min.js because it does not appear in the script-src directive of the Content Security Policy.

[Error] Refused to load https://www.bir.org/images/BIR_Publications/BIR_Annual_Report_2021_final/assets/js/jquery.touchSwipe.min.js because it does not appear in the script-src directive of the Content Security Policy.

[Error] Refused to load https://www.bir.org/images/BIR_Publications/BIR_Annual_Report_2021_final/assets/js/in5.config.js because it does not appear in the script-src directive of the Content Security Policy.

[Error] Refused to load https://www.bir.org/images/BIR_Publications/BIR_Annual_Report_2021_final/assets/js/in5.viewer.js because it does not appear in the script-src directive of the Content Security Policy.

[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' appears in neither the style-src directive nor the default-src directive of the Content Security Policy. (BIR_Annual_Report_2021_final, line 1, x1364)

 

Thank you for your suggestions

Wednesday, 10 May 2023 03:49 CDT

nicholas

Add images/BIR_Publications to the “Allow direct access, except .php files, to these directories” option in the .htaccess Maker. Then click on Save and Create .htaccess in the toolbar.

Here's the reasoning.

The “Disable client-side risky behavior in frontend static content” option protects your site by adding a Content-Security-Policy header to static files (as defined in “Frontend file types allowed in selected directories”) which prevents the execution of any JavaScript content in those files. Since the images folder is in the “Frontend directories where file type exceptions are allowed” and html is in “Frontend file types allowed in selected directories” all of your .html files under the images/BIR_Publications folder are set to not execute JavaScript. This is exactly what your browser tells you happens.

Whenever you add a folder or file in one of the options which exceptionally allow direct access to a directory/file the .htaccess Maker puts an additional line in the .htaccess which removes the Content-Security-Policy header thereby allowing the execution of JavaScript. Therefore, by adding the folder under which all your publication files are placed into you will be explicitly allowing their JavaScript to load and execute, solving the problem you have.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 10 May 2023 07:36 CDT

grabit

Thank you Nicholas,

I already tried that one but then I had an error 403.

So I put the same folder on the next option "Allow direct access, including .php files, to these directories" and the 403 error went off but I had then the error I was explaining in my original message.

So what do you suggest without compromising my security?

Wednesday, 10 May 2023 08:33 CDT

nicholas

What you have described, the way you described it, is an impossibility.

Based on your original message, without adding the folder to “Allow direct access, except .php files, to these directories”, you can access the file without getting a 403. This means that its file extension is already added in “Frontend file types allowed in selected directories”.

Then you tell me that you added the correct folder to the “Allow direct access, except .php files, to these directories” list and get a 403. This is impossible, as this feature adds an exception which prevents 403 errors.

For what it's worth, if I access the URL https://www.bir.org/images/BIR_Publications/BIR_Annual_Report_2021_final/index.html or even https://www.bir.org/images/BIR_Publications/BIR_Annual_Report_2021_final your page appears correctly, with JavaScript and everything.

Is it possible that you instead tried to access https://www.bir.org/images/BIR_Publications which of course does not work as there is no directory index (index.html) file? If that's your problem then, yeah, sure, you are getting the correct 403 error, as expected. Remember, the reason we added the images/BIR_Publications folder instead of the images/BIR_Publications/BIR_Annual_Report_2021_final folder was to expedite things. I am assuming you will have more than the 2021 final report to put in the images/BIR_Publications folder. It would be a waste of your time (frustrated user) and the server's time (slower site) having you add each and every folder individually when we can simply add the parent folder and be done with it. Right?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 10 May 2023 10:13 CDT

grabit

I understand well what you explain but it exactly what I did.

When I put https://www.bir.org/images/BIR_Publications in “Allow direct access, including .php files, to these directories”

If I am trying to access https://www.bir.org/images/BIR_Publications/BIR_Annual_Report_2021_final the scripts are blocked. but when I am surfing to https://www.bir.org/images/BIR_Publications/BIR_Annual_Report_2021_final/index.html it is working fine.

When I put https://www.bir.org/images/BIR_Publications in “Allow direct access, except .php files, to these directories”

If I am trying to access https://www.bir.org/images/BIR_Publications/BIR_Annual_Report_2021_final error 403. but when I am surfing to https://www.bir.org/images/BIR_Publications/BIR_Annual_Report_2021_final/index.html it is working fine.

The problem is like that with both Safari and Chrome on my Mac

So I will change the link by adding index.html in order to avoid problems.

Wednesday, 10 May 2023 10:33 CDT

nicholas

I told you to add exactly the text images/BIR_Publications into the option “Allow direct access, except .php files, to these directories”.

You said you instead added the URL https://www.bir.org/images/BIR_Publications into the different option “Allow direct access, including .php files, to these directories”.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 10 May 2023 10:42 CDT

grabit

It's a mistake in my message because I copied the link in your message.

It is of course images/BIR_Publications that I have put in the box.

Here is a screenshot.

Wednesday, 10 May 2023 12:44 CDT

nicholas

OK, that's good. I was wondering how you got anything working putting a URL in that box :)

The most likely problem when you try to access https://www.bir.org/images/BIR_Publications/BIR_Annual_Report_2021_final is that the server cannot find a default directory index file. So, yes, change the URL so that it contains the /index.html at the end to prevent this problem.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!