Welcome to our new forum
All users of the legacy CODESYS Forums, please create a new account at account.codesys.com. But make sure to use the same E-Mail address as in the old Forum. Then your posts will be matched.
Close
is there anyone who knows how to change the CSP-Settings inn the generateted HTML5 code for the controls?
By default CSP for object-scr is 'none' and font-src is not set, i would like to chnage it to:
have You found a solution for this? I might have one, but only for home use! I am sure, it cannot be done by setting something in Codesys. Which is really sad, CSP is too restrictive for HTML5 components.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
as the documentaion (https://content.helpme-codesys.com/en/CODESYS%20Visualization/_visu_security_notes_html5.html) says, i change the config file (/PLCLogic/visu/webvisu.cfg.json) to:
"ContentSecurityPolicyIncludeTrustedOrigins" : "http://localhost:8080 https://raw.githubusercontent.com/LearnWebCode/json-example/master/"or just"ContentSecurityPolicyIncludeTrustedOrigins" : "*" (to allow any sources - i don't recommend that)
According to font-src, if font-src directive is absent, the user agent will look for the default-src directive. So "*" or "http://example.com/font/" or 'self' http://localhost:8080/ should be good enough. Try this firts, please, i haven't
According to object-src, it is recommended to restrict this fetch-directive (e.g. explicitly set object-src 'none' if possible). There must be a good reason why this value is set to 'none'.
The "home use" or just only for education purposes (my case), you could edit webvisu.js in visu directory of your PLC.
You find in this file "default-src {0}; object-src 'none'; script-src {0}; img-src {1}; style-src {2}; style-src-elem {2}; base-uri 'none';"
The html iFrame and its CSP is generated by this webvisu.js:
{0} is replaced with "'nonce-xxxxx' 'unsafe-inline' and content string in ContentSecurityPolicyIncludeTrustedOrigins (CSPITO).
{1} is replaced with 'self' http://localhost:8080 (in win-plc), CSPITO and data:
{2} is replaced with 'nonce-xxxxxx' 'unsafe-inline' CSPITO and data:
So you could change object-src 'none' to object-src {0} or {1} or {2} or whatever-you-want, save the file and try the behavior.
Login with download rewrites webvisu.js and webvisu.cfg.json. To avoid that, just rename Name of .htm file in Codesys (Visualization manager -> WebVisu) for example 'webvisu1.htm'. Also rename "upgraded" webvisu.js to webvisu_.js and change this in the generated webvisu.htm file as well ( <script language="javascript" src="webvisu_.js"></script>). Then call http://..../8080/webvisu.htm in a browser.
Next Login with download generates webvisu1.js and webvisu1.cfg.json Your upgraded files will remain unaffected.
If you also had a problem with Access-Control-Allow-Origin' error message in a browser, it's because the html iFrame is sandboxed. sandbox="allow-scripts". Well, if you add allow-same-origin you get rid of this message.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello togheter,
is there anyone who knows how to change the CSP-Settings inn the generateted HTML5 code for the controls?
By default CSP for object-scr is 'none' and font-src is not set, i would like to chnage it to:
object-scr 'self' http://localhost:8080 data:; font-scr 'self' http://localhost:8080;Hello,
have You found a solution for this? I might have one, but only for home use! I am sure, it cannot be done by setting something in Codesys. Which is really sad, CSP is too restrictive for HTML5 components.
Hello dasis,
as the documentaion (https://content.helpme-codesys.com/en/CODESYS%20Visualization/_visu_security_notes_html5.html) says, i change the config file (/PLCLogic/visu/webvisu.cfg.json) to:
but this puts out a damaged CSP-Line:
Also, changes in the webvisu.cfg.json do not overwrite any values, only new ones are added but not i a workable way.
Therefore I think a change of
object-src 'none'is currently not possible. What is your solution for "homen use"?
Hello hx05,
"ContentSecurityPolicyIncludeTrustedOrigins" : "font-scr 'self' http://localhost:8080"is definitely wrong.
You should use
According to font-src, if font-src directive is absent, the user agent will look for the default-src directive. So "*" or "http://example.com/font/" or 'self' http://localhost:8080/ should be good enough. Try this firts, please, i haven't
According to object-src, it is recommended to restrict this fetch-directive (e.g. explicitly set object-src 'none' if possible). There must be a good reason why this value is set to 'none'.
The "home use" or just only for education purposes (my case), you could edit webvisu.js in visu directory of your PLC.
You find in this file "default-src {0}; object-src 'none'; script-src {0}; img-src {1}; style-src {2}; style-src-elem {2}; base-uri 'none';"
The html iFrame and its CSP is generated by this webvisu.js:
{0} is replaced with "'nonce-xxxxx' 'unsafe-inline' and content string in ContentSecurityPolicyIncludeTrustedOrigins (CSPITO).
{1} is replaced with 'self' http://localhost:8080 (in win-plc), CSPITO and data:
{2} is replaced with 'nonce-xxxxxx' 'unsafe-inline' CSPITO and data:
More about nonce here
So you could change object-src 'none' to object-src {0} or {1} or {2} or whatever-you-want, save the file and try the behavior.
Login with download rewrites webvisu.js and webvisu.cfg.json. To avoid that, just rename Name of .htm file in Codesys (Visualization manager -> WebVisu) for example 'webvisu1.htm'. Also rename "upgraded" webvisu.js to webvisu_.js and change this in the generated webvisu.htm file as well ( <script language="javascript" src="webvisu_.js"></script>). Then call http://..../8080/webvisu.htm in a browser.
Next Login with download generates webvisu1.js and webvisu1.cfg.json Your upgraded files will remain unaffected.
If you also had a problem with Access-Control-Allow-Origin' error message in a browser, it's because the html iFrame is sandboxed. sandbox="allow-scripts". Well, if you add allow-same-origin you get rid of this message.
Just a warning. Changing the generated csp and attributes on the iframe may allow bad people to run a DOS on your PLC causing a crash or loss of data.
All these settings have been chosen to protect the user.
Last edit: m.prestel 2022-11-02