Search code examples
laravelcontent-security-policyscript-src

Laravel, how to add a script in a blade page? The script loading a resource to inline was blocked by page settings (“script-src”)

I run a Laravel application not developed by me, as I'm not a developer. This Laravel app show a user page interface where I need put a custom script live chat code.

I found where is the relative blade page where I need put that code and the patch is on app/Modules/KnowledgeBase/Resources/view/layouts/page.blade.php

  1. app is the folder where the app is installed, inside all core files.
  2. All requests inside this app folder are redirected to the public folder by an htaccess file, the public folder is inside the app folder so app/public/
  3. In the public folder there are a lot of files and folders. One of this folder is a symbolic link folder called modules, inside that folder there are all modules linked as symbolic links.
  4. I click on the symbolic links knowledgebase
  5. here I'm able to place a test HTML file with also the live chat script who works. This is just a test to see if I'm able to reach the location where I'm from the browser and to check the chat script works.
  6. In this folder only two folders are present. I need click on the button to load the parent directory and when I do I'm inside the following patch: app/Modules/KnowledgeBase/
  7. Now I open the resources , view, layouts folders and I reach the page.blade.php

My script inserted on this file never work. I'm also unable to reach a test.html file located at app/Modules/KnowledgeBase/Resources/view/layouts/ this because all browser requests are redirected to the public folder so the browser will load a not found page.

If I put the script inside this page I get the error "The script loading a resource to inline was blocked by page settings (“script-src”)"

I'm asking where this directive is set and how to fix to have my script run in the page.blade.php

The only .htaccess file I see is placed in the app folder and his content is

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !/\.well\-known/?.*
    RewriteRule (.*) public/$1 [L]
</IfModule>

There is also an .htaccess file placed in the public directory with the following code:

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>

    RewriteEngine On

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

I don't understand why I'm unable to see my script code loaded inside the page.blade.php

I expect to be able to run the script inside the blade.php page. I searched on the web for a solution find some meta tag to add to the page but never resolve.

The script is correctly inserted in the page, the issue is locked by a directive that I don't know where can be placed and how to change for allow my script.

In the app/config I found a php file that inside has:

  'csp_enabled'    => env('APP_CSP_ENABLED', true),
    'csp_script_src' => env('APP_CSP_SCRIPT_SRC', ''),

Maybe is this directive that is forbid my script? How to resolve? Set to false resolve the issue but create maybe a XSS weakness. How I can allow my script leaving this option true?

Solution

  • The solution is consult the documentation of the app:

    https://github.com/freescout-helpdesk/freescout/wiki/Development-Guide#javascript-and-content-security-policy-csp

    Then after adding the script between the template:

    <script type="text/javascript" {!! \Helper::cspNonceAttr() !!}>
// Some JS code
</script>

    Need to check the page with the developer console. If you see some script are blocked is because the script use external script so need whitelist the domain in the .env file as the guide say:

    APP_CSP_SCRIPT_SRC="example.org/js/script.js example.org/js/another-script.js"

    Clean the app cache and all should work