website security and Pano2vr's html template
Has anyone here implemented a "Content Security Policy" - https://en.wikipedia.org/wiki/Content_Security_Policy on their panorama website? CSP does not like inline javascript or inline style (both are present in the Pano2vr html template) and I am curious how people have dealt with this.
- Hopki
- Gnome
- Posts: 13029
- Joined: Thu Jan 10, 2008 3:16 pm
- Location: Layer de la Haye, Essex UK
- Contact:
Hi Carol,
Sorry I have not played with this, don't know if anyone else has.
Regards,
Hopki
Sorry I have not played with this, don't know if anyone else has.
Regards,
Hopki
Garden Gnome Support
If you send an e-mail to support please send a link to the forum post for reference.
support@ggnome.com
https://ggnome.com/wiki/documentation/
If you send an e-mail to support please send a link to the forum post for reference.
support@ggnome.com
https://ggnome.com/wiki/documentation/
- 360Texas
- Moderator
- Posts: 3684
- Joined: Sat Sep 09, 2006 6:06 pm
- Location: Fort Worth, Texas USA
- Contact:
Similar maybe off topic:
Our website host made it easy to convert our http// site to a https// safe site.
When I converted I lost the ability to use a script that calls an external Easy_Rotator .js file from another site. Its an image slider/fader function. Rather than slide it fades to replace the previous image. Its also a responsive design.
So I changed it back to a NOT safe site until I can find a replacement code set that is internal to the site and not dependent on downloading from external site.
Just a thought
Our website host made it easy to convert our http// site to a https// safe site.
When I converted I lost the ability to use a script that calls an external Easy_Rotator .js file from another site. Its an image slider/fader function. Rather than slide it fades to replace the previous image. Its also a responsive design.
Code: Select all
<script type="text/javascript" src="http://c520866.r66.cf2.rackcdn.com/1/js/easy_rotator.min.js"></script>
Just a thought
If the webhost's http>https conversion does not allow offsite scripts, why don't you put the easy rotator script file on your own server? It is probably a good idea to not allow off-site scripts anyhow.
- 360Texas
- Moderator
- Posts: 3684
- Joined: Sat Sep 09, 2006 6:06 pm
- Location: Fort Worth, Texas USA
- Contact:
True. Then I would re-write the script line to point the easy_rotator.min.js file in my /js file on my iPower.com Host server. Then I could change http: > https:
This would resolve my Website Security issue. Which is the only one I have at the moment.
I am not sure... inline javascript or inline style (both are present in the Pano2vr html template) is calling external files
This would resolve my Website Security issue. Which is the only one I have at the moment.
I am not sure... inline javascript or inline style (both are present in the Pano2vr html template) is calling external files
-
- Posts: 5
- Joined: Wed Jul 14, 2021 3:01 pm
Hi Carel, a customer of mine also deploys Content Security Policy on their server. As a result, the tour is blocked. Have you found a solution?
It is rather cumbersome and I have not done it on my own website yet, but what needs to be done is first take out the inline javascript (from the html page) and put it in its own file in the same folder as where the pano resides and make sure that the other js files (pano2vr_player.js and skin.js) are on your own server. On my own website I use a lot of different skins, so the skin.js I have in the same folder as the pano. You then call those three js files in the html. With a code editor like notepad++ (windows only) or Atom (windows, Mac, and Linux) you could write a little routine to automate the process of extracting the inline js. I just have not done that yet. If the inline js is a problem for many pano2vr users, maybe the coding gnomes at pano2vr can externalize that 3 line inline js when the pano is created in the Pano2VR app. Maybe the same needs to be done with the inline stylesheet.
- Hopki
- Gnome
- Posts: 13029
- Joined: Thu Jan 10, 2008 3:16 pm
- Location: Layer de la Haye, Essex UK
- Contact:
Hi Carel,
Passing this on to the team.
Regards,
Passing this on to the team.
Regards,
Garden Gnome Support
If you send an e-mail to support please send a link to the forum post for reference.
support@ggnome.com
https://ggnome.com/wiki/documentation/
If you send an e-mail to support please send a link to the forum post for reference.
support@ggnome.com
https://ggnome.com/wiki/documentation/
-
- Posts: 5
- Joined: Wed Jul 14, 2021 3:01 pm
Thank you for the explanation! I have researched in the meantime and sent the developer of the customer these links describing how to customize the CSP:
https://content-security-policy.com/exa ... ne-script/
https://developer.mozilla.org/en-US/doc ... script-src
Fortunately that worked, but not every customer has a developer. So the suggested solution on the part of the software would of course be more customer friendly.
https://content-security-policy.com/exa ... ne-script/
https://developer.mozilla.org/en-US/doc ... script-src
Fortunately that worked, but not every customer has a developer. So the suggested solution on the part of the software would of course be more customer friendly.
Checking in to see if the issue with Pano2VR html projects no longer working when Content Security Policy (CSP) has been resolved. Has a fix been implemented in Pano2VR?
I have some Pano2VR projects from over a year ago on a web server and the cyber security team enabled CSP on the server. Now the projects don't work. Can it be fixed by re-exporting the projects from the current version of Pano2VR?
Hopki, what does product support say?
Thanks for the insights.
I have some Pano2VR projects from over a year ago on a web server and the cyber security team enabled CSP on the server. Now the projects don't work. Can it be fixed by re-exporting the projects from the current version of Pano2VR?
Hopki, what does product support say?
Thanks for the insights.