Fullcalendar.io not working with CSP nonce on safari Browser

By
codesanitize
-
0
16
Fullcalendar.io not working with CSP nonce on safari Browser


I’m utilizing FullCalendar.io in my Asp.Internet core net app. Additionally I’ve setup CSP with NetEscapades.AspNetCore.SecurityHeaders.
Listed here are the definitions:

coverage.AddContentSecurityPolicy(builder =>
{
    builder.AddDefaultSrc().Self();
    builder.AddConnectSrc()
        .From("wss://localhost:*")
        .From("ws://localhost:*")
        .From("https://localhost:*")
        .From("http://localhost:*")
        .Self();

    builder.AddObjectSrc().Self();
    builder.AddBlockAllMixedContent();
    builder.AddImgSrc().Self().From("knowledge:").OverHttps();
    builder.AddFormAction().Self().OverHttps();
    builder.AddFontSrc().Self().From("knowledge:").OverHttps();
    builder.AddStyleSrc()
        .Self()
        ////.UnsafeInline()
        .WithNonce()
        .OverHttps();
    builder.AddScriptSrc()
        .Self()
        .WithNonce()
        .OverHttps();
    builder.AddBaseUri().Self().OverHttps();
    builder.AddFrameAncestors().Self().OverHttps();
    builder.AddWorkerSrc().Self().OverHttps();
    builder.AddManifestSrc().Self().OverHttps();
});

My calendar could be very fundamental:

$(doc).prepared(operate () {
    var antiForgeryToken = $('enter[name = "AFTFFINNIA"]').val();
    var calendarEl = doc.getElementById('calendar');
    var calendar = new FullCalendar.Calendar(calendarEl, {
        initialView: 'dayGridMonth',
        locale: 'de-CH',
        firstDay: 1,
        peak: "auto",
        headerToolbar: {
            left: 'prev,subsequent in the present day',
            middle: 'title',
            proper: 'dayGridMonth,timeGridWeek,timeGridDay,listWeek'
        },
        occasions: {
            url: '/Kalender/Termine',
            technique: 'POST',
            extraParams: {
                AFTFFINNIA: antiForgeryToken
            },
        },
    });

    calendar.render();
});

On chrome (home windows) this works high-quality. However on iOS and macOS with safari, the calendar shouldn’t be being displayed.

Error message: Refused to use a stylesheet as a result of its hash, its nonce, or ‘unsafe-inline’ doesn’t seem int the style-src directive of the Content material Safety Coverage. (Index, line 1)

After this there’s a TypeError: null shouldn’t be an object (evaluating ‘i.cssRules’).

I did learn: Fullcalendar.io’s Content material Safety Coverage (CSP).

Anybody know why this doesn’t work on safari?

Content material-Safety-Coverage Header:

style-src 'self' https: 'nonce-+1v9CuQxiH8qkVG0PK4Lo/D/kV0oI2jIw7Eb2xxemXY='; 
script-src 'self' https: 'nonce-+1v9CuQxiH8qkVG0PK4Lo/D/kV0oI2jIw7Eb2xxemXY='; 
default-src 'self'; 
connect-src wss://localhost:* ws://localhost:* https://localhost:* http://localhost:* 'self'; 
object-src 'self'; 
block-all-mixed-content; 
img-src 'self' knowledge: https:; 
form-action 'self' https:; font-src 'self' knowledge: https:; 
base-uri 'self' https:; 
frame-ancestors 'self' https:; 
worker-src 'self' https:; 
manifest-src 'self' https:

LEAVE A REPLY

Please enter your comment!
Please enter your name here