website security and Pano2vr's html template

Q&A about the latest versions
Post Reply
Carel
Posts: 178
Joined: Tue Sep 12, 2006 5:59 am
Location: Pasadena, CA USA
Contact:

Has anyone here implemented a "Content Security Policy" - https://en.wikipedia.org/wiki/Content_Security_Policy on their panorama website? CSP does not like inline javascript or inline style (both are present in the Pano2vr html template) and I am curious how people have dealt with this.
User avatar
Hopki
Gnome
Posts: 13005
Joined: Thu Jan 10, 2008 3:16 pm
Location: Layer de la Haye, Essex UK
Contact:

Hi Carol,
Sorry I have not played with this, don't know if anyone else has.
Regards,
Hopki
Garden Gnome Support
If you send an e-mail to support please send a link to the forum post for reference.
support@ggnome.com
https://ggnome.com/wiki/documentation/
User avatar
360Texas
Moderator
Posts: 3684
Joined: Sat Sep 09, 2006 6:06 pm
Location: Fort Worth, Texas USA
Contact:

Similar maybe off topic:
Our website host made it easy to convert our http// site to a https// safe site.

When I converted I lost the ability to use a script that calls an external Easy_Rotator .js file from another site. Its an image slider/fader function. Rather than slide it fades to replace the previous image. Its also a responsive design.

Code: Select all

<script type="text/javascript" src="http://c520866.r66.cf2.rackcdn.com/1/js/easy_rotator.min.js"></script>
So I changed it back to a NOT safe site until I can find a replacement code set that is internal to the site and not dependent on downloading from external site.

Just a thought
Dave
Pano2VR Forum Global Moderator
Image
Visit 360texas.com
Carel
Posts: 178
Joined: Tue Sep 12, 2006 5:59 am
Location: Pasadena, CA USA
Contact:

If the webhost's http>https conversion does not allow offsite scripts, why don't you put the easy rotator script file on your own server? It is probably a good idea to not allow off-site scripts anyhow.
User avatar
360Texas
Moderator
Posts: 3684
Joined: Sat Sep 09, 2006 6:06 pm
Location: Fort Worth, Texas USA
Contact:

True. Then I would re-write the script line to point the easy_rotator.min.js file in my /js file on my iPower.com Host server. Then I could change http: > https:

This would resolve my Website Security issue. Which is the only one I have at the moment.

I am not sure... inline javascript or inline style (both are present in the Pano2vr html template) is calling external files
Dave
Pano2VR Forum Global Moderator
Image
Visit 360texas.com
Saatenbrot
Posts: 5
Joined: Wed Jul 14, 2021 3:01 pm

Hi Carel, a customer of mine also deploys Content Security Policy on their server. As a result, the tour is blocked. Have you found a solution?
Carel
Posts: 178
Joined: Tue Sep 12, 2006 5:59 am
Location: Pasadena, CA USA
Contact:

It is rather cumbersome and I have not done it on my own website yet, but what needs to be done is first take out the inline javascript (from the html page) and put it in its own file in the same folder as where the pano resides and make sure that the other js files (pano2vr_player.js and skin.js) are on your own server. On my own website I use a lot of different skins, so the skin.js I have in the same folder as the pano. You then call those three js files in the html. With a code editor like notepad++ (windows only) or Atom (windows, Mac, and Linux) you could write a little routine to automate the process of extracting the inline js. I just have not done that yet. If the inline js is a problem for many pano2vr users, maybe the coding gnomes at pano2vr can externalize that 3 line inline js when the pano is created in the Pano2VR app. Maybe the same needs to be done with the inline stylesheet.
User avatar
Hopki
Gnome
Posts: 13005
Joined: Thu Jan 10, 2008 3:16 pm
Location: Layer de la Haye, Essex UK
Contact:

Hi Carel,
Passing this on to the team.
Regards,
Garden Gnome Support
If you send an e-mail to support please send a link to the forum post for reference.
support@ggnome.com
https://ggnome.com/wiki/documentation/
Saatenbrot
Posts: 5
Joined: Wed Jul 14, 2021 3:01 pm

Thank you for the explanation! I have researched in the meantime and sent the developer of the customer these links describing how to customize the CSP:
https://content-security-policy.com/exa ... ne-script/
https://developer.mozilla.org/en-US/doc ... script-src

Fortunately that worked, but not every customer has a developer. So the suggested solution on the part of the software would of course be more customer friendly.
chedbeEMA
Posts: 1
Joined: Thu Apr 07, 2022 7:19 pm

Checking in to see if the issue with Pano2VR html projects no longer working when Content Security Policy (CSP) has been resolved. Has a fix been implemented in Pano2VR?

I have some Pano2VR projects from over a year ago on a web server and the cyber security team enabled CSP on the server. Now the projects don't work. Can it be fixed by re-exporting the projects from the current version of Pano2VR?

Hopki, what does product support say?

Thanks for the insights.
Post Reply