Garden Gnome Software

Has anyone here implemented a "Content Security Policy" - https://en.wikipedia.org/wiki/Content_Security_Policy on their panorama website? CSP does not like inline javascript or inline style (both are present in the Pano2vr html template) and I am curious how people have dealt with this.

Hi Carol,
Sorry I have not played with this, don't know if anyone else has.
Regards,
Hopki

Similar maybe off topic:
Our website host made it easy to convert our http// site to a https// safe site.

When I converted I lost the ability to use a script that calls an external Easy_Rotator .js file from another site. Its an image slider/fader function. Rather than slide it fades to replace the previous image. Its also a responsive design.
So I changed it back to a NOT safe site until I can find a replacement code set that is internal to the site and not dependent on downloading from external site.

Just a thought

If the webhost's http>https conversion does not allow offsite scripts, why don't you put the easy rotator script file on your own server? It is probably a good idea to not allow off-site scripts anyhow.

True. Then I would re-write the script line to point the easy_rotator.min.js file in my /js file on my iPower.com Host server. Then I could change http: > https:

This would resolve my Website Security issue. Which is the only one I have at the moment.

I am not sure... inline javascript or inline style (both are present in the Pano2vr html template) is calling external files

Hi Carel, a customer of mine also deploys Content Security Policy on their server. As a result, the tour is blocked. Have you found a solution?

It is rather cumbersome and I have not done it on my own website yet, but what needs to be done is first take out the inline javascript (from the html page) and put it in its own file in the same folder as where the pano resides and make sure that the other js files (pano2vr_player.js and skin.js) are on your own server. On my own website I use a lot of different skins, so the skin.js I have in the same folder as the pano. You then call those three js files in the html. With a code editor like notepad++ (windows only) or Atom (windows, Mac, and Linux) you could write a little routine to automate the process of extracting the inline js. I just have not done that yet. If the inline js is a problem for many pano2vr users, maybe the coding gnomes at pano2vr can externalize that 3 line inline js when the pano is created in the Pano2VR app. Maybe the same needs to be done with the inline stylesheet.

Hi Carel,
Passing this on to the team.
Regards,

Thank you for the explanation! I have researched in the meantime and sent the developer of the customer these links describing how to customize the CSP:
https://content-security-policy.com/exa ... ne-script/
https://developer.mozilla.org/en-US/doc ... script-src

Fortunately that worked, but not every customer has a developer. So the suggested solution on the part of the software would of course be more customer friendly.

Checking in to see if the issue with Pano2VR html projects no longer working when Content Security Policy (CSP) has been resolved. Has a fix been implemented in Pano2VR?

I have some Pano2VR projects from over a year ago on a web server and the cyber security team enabled CSP on the server. Now the projects don't work. Can it be fixed by re-exporting the projects from the current version of Pano2VR?

Hopki, what does product support say?

Thanks for the insights.