Content
View differences
Updated by Oliver Günther over 1 year ago
**Reproduction steps**
* Go to <your instance>/foobar
* See the error message
**Expected behavior**
* Message is styled correctly
**Actual behavior**
* No background in flash message
* JS errors in console (see below)
* <img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/191232/content">
# AppSignal incidents:
https://appsignal.com/openproject-gmbh/sites/66b224a4d30d867bed8a1772/exceptions/incidents/205
## [Sample 1](https://appsignal.com/openproject-gmbh/sites/66b224a4d30d867bed8a1772/exceptions/incidents/205/samples/66b224a4d30d867bed8a1772-1517885735781531756717254578001)
**Message**
```text
Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.
Caused by: ActionController::RoutingError
No route matches [GET] "/assets/frontend/main.abaefd5cd8238bb7.js"
```
**Backtrace (last 10 lines)**
```text
lib/action_controller/metal/request_forgery_protection.rb:415 verify_same_origin_request
lib/active_support/callbacks.rb:403 block in make_lambda
lib/active_support/callbacks.rb:250 block in halting
lib/active_support/callbacks.rb:602 block in invoke_after
lib/active_support/callbacks.rb:602 each
lib/active_support/callbacks.rb:602 invoke_after
lib/active_support/callbacks.rb:135 block in run_callbacks
lib/turbo-rails.rb:24 with_request_id
app/controllers/concerns/turbo/request_id_tracking.rb:10 turbo_tracking_request_id
lib/active_support/callbacks.rb:130 block in run_callbacks
lib/action_text/rendering.rb:23 with_renderer
lib/action_text/engine.rb:69 block (4 levels) in <class:Engine>
lib/active_support/callbacks.rb:130 instance_exec
lib/active_support/callbacks.rb:130 block in run_callbacks
lib/active_support/callbacks.rb:141 run_callbacks
lib/abstract_controller/callbacks.rb:258 process_action
lib/action_controller/metal/rescue.rb:25 process_action
lib/action_controller/metal/instrumentation.rb:74 block in process_action
lib/appsignal/hooks/active_support_notifications.rb:19 block in instrument
lib/active_support/notifications/instrumenter.rb:58 instrument
lib/appsignal/hooks/active_support_notifications.rb:18 instrument
lib/action_controller/metal/instrumentation.rb:73 process_action
lib/action_controller/metal/params_wrapper.rb:261 process_action
lib/active_record/railties/controller_runtime.rb:32 process_action
lib/abstract_controller/base.rb:160 process
lib/action_view/rendering.rb:40 process
lib/action_controller/metal.rb:227 dispatch
lib/action_controller/metal.rb:309 dispatch
lib/action_dispatch/routing/route_set.rb:49 dispatch
lib/action_dispatch/routing/route_set.rb:32 serve
lib/action_dispatch/journey/router.rb:51 block in serve
lib/action_dispatch/journey/router.rb:131 block in find_routes
lib/action_dispatch/journey/router.rb:124 each
lib/action_dispatch/journey/router.rb:124 find_routes
lib/action_dispatch/journey/router.rb:32 serve
lib/action_dispatch/routing/route_set.rb:882 call
lib/action_dispatch/middleware/show_exceptions.rb:54 render_exception
lib/action_dispatch/middleware/show_exceptions.rb:40 rescue in call
lib/action_dispatch/middleware/show_exceptions.rb:30 call
lib/rack/cors.rb:102 call
lib/lograge/rails_ext/rack/logger.rb:18 call_app
lib/rails/rack/logger.rb:24 block in call
lib/active_support/tagged_logging.rb:139 block in tagged
lib/active_support/tagged_logging.rb:39 tagged
lib/active_support/tagged_logging.rb:139 tagged
lib/active_support/broadcast_logger.rb:241 method_missing
lib/rails/rack/logger.rb:24 call
vendor/plugins/openproject-multitenancy/lib/multitenancy/elevators/mapped_domain_elevator.rb:106 block in call_tenant
lib/apartment/adapters/abstract_adapter.rb:85 switch
/usr/local/lib/ruby/3.3.0/forwardable.rb:240 switch
vendor/plugins/openproject-multitenancy/lib/multitenancy/elevators/mapped_domain_elevator.rb:103 call_tenant
vendor/plugins/openproject-multitenancy/lib/multitenancy/elevators/mapped_domain_elevator.rb:69 try_tenant
vendor/plugins/openproject-multitenancy/lib/multitenancy/elevators/mapped_domain_elevator.rb:39 call
lib/sprockets/rails/quiet_assets.rb:15 block in call
lib/active_support/logger_silence.rb:18 block in silence
lib/active_support/logger_thread_safe_level.rb:45 log_at
lib/active_support/logger_silence.rb:18 silence
lib/sprockets/rails/quiet_assets.rb:15 call
lib/action_dispatch/middleware/remote_ip.rb:92 call
lib/request_store/middleware.rb:19 call
lib/action_dispatch/middleware/request_id.rb:28 call
lib/rack/method_override.rb:24 call
lib/rack/runtime.rb:22 call
lib/rack/timeout/core.rb:154 block in call
lib/rack/timeout/support/timeout.rb:19 timeout
lib/rack/timeout/core.rb:153 call
lib/active_support/cache/strategy/local_cache_middleware.rb:29 call
lib/action_dispatch/middleware/executor.rb:14 call
lib/action_dispatch/middleware/static.rb:25 call
lib/rack/sendfile.rb:110 call
lib/action_dispatch/middleware/ssl.rb:79 call
lib/secure_headers/middleware.rb:11 call
lib/rails/engine.rb:536 call
lib/rack/protection/frame_options.rb:33 call
lib/rack/protection/json_csrf.rb:28 call
lib/rack/urlmap.rb:74 block in call
lib/rack/urlmap.rb:58 each
lib/rack/urlmap.rb:58 call
lib/puma/configuration.rb:272 call
lib/puma/request.rb:100 block in handle_request
lib/puma/thread_pool.rb:378 with_force_shutdown
lib/puma/request.rb:99 handle_request
lib/puma/server.rb:464 process_client
lib/puma/server.rb:245 block in run
lib/puma/thread_pool.rb:155 block in spawn_thread
```
### Additional notes:
Probably, it is related to recent changes to csp policy in OP application. If you open not found route you'll see that javascript can not be loaded:
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/190599/content">
While in an old version of OP(DeutscheBahn stage) the issue is absent, DB stage:
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/190600/content">
* Go to <your instance>/foobar
* See the error message
**Expected behavior**
* Message is styled correctly
**Actual behavior**
* No background in flash message
* JS errors in console (see below)
* <img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/191232/content">
# AppSignal incidents:
https://appsignal.com/openproject-gmbh/sites/66b224a4d30d867bed8a1772/exceptions/incidents/205
## [Sample 1](https://appsignal.com/openproject-gmbh/sites/66b224a4d30d867bed8a1772/exceptions/incidents/205/samples/66b224a4d30d867bed8a1772-1517885735781531756717254578001)
**Message**
```text
Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.
Caused by: ActionController::RoutingError
No route matches [GET] "/assets/frontend/main.abaefd5cd8238bb7.js"
```
**Backtrace (last 10 lines)**
```text
lib/action_controller/metal/request_forgery_protection.rb:415 verify_same_origin_request
lib/active_support/callbacks.rb:403 block in make_lambda
lib/active_support/callbacks.rb:250 block in halting
lib/active_support/callbacks.rb:602 block in invoke_after
lib/active_support/callbacks.rb:602 each
lib/active_support/callbacks.rb:602 invoke_after
lib/active_support/callbacks.rb:135 block in run_callbacks
lib/turbo-rails.rb:24 with_request_id
app/controllers/concerns/turbo/request_id_tracking.rb:10 turbo_tracking_request_id
lib/active_support/callbacks.rb:130 block in run_callbacks
lib/action_text/rendering.rb:23 with_renderer
lib/action_text/engine.rb:69 block (4 levels) in <class:Engine>
lib/active_support/callbacks.rb:130 instance_exec
lib/active_support/callbacks.rb:130 block in run_callbacks
lib/active_support/callbacks.rb:141 run_callbacks
lib/abstract_controller/callbacks.rb:258 process_action
lib/action_controller/metal/rescue.rb:25 process_action
lib/action_controller/metal/instrumentation.rb:74 block in process_action
lib/appsignal/hooks/active_support_notifications.rb:19 block in instrument
lib/active_support/notifications/instrumenter.rb:58 instrument
lib/appsignal/hooks/active_support_notifications.rb:18 instrument
lib/action_controller/metal/instrumentation.rb:73 process_action
lib/action_controller/metal/params_wrapper.rb:261 process_action
lib/active_record/railties/controller_runtime.rb:32 process_action
lib/abstract_controller/base.rb:160 process
lib/action_view/rendering.rb:40 process
lib/action_controller/metal.rb:227 dispatch
lib/action_controller/metal.rb:309 dispatch
lib/action_dispatch/routing/route_set.rb:49 dispatch
lib/action_dispatch/routing/route_set.rb:32 serve
lib/action_dispatch/journey/router.rb:51 block in serve
lib/action_dispatch/journey/router.rb:131 block in find_routes
lib/action_dispatch/journey/router.rb:124 each
lib/action_dispatch/journey/router.rb:124 find_routes
lib/action_dispatch/journey/router.rb:32 serve
lib/action_dispatch/routing/route_set.rb:882 call
lib/action_dispatch/middleware/show_exceptions.rb:54 render_exception
lib/action_dispatch/middleware/show_exceptions.rb:40 rescue in call
lib/action_dispatch/middleware/show_exceptions.rb:30 call
lib/rack/cors.rb:102 call
lib/lograge/rails_ext/rack/logger.rb:18 call_app
lib/rails/rack/logger.rb:24 block in call
lib/active_support/tagged_logging.rb:139 block in tagged
lib/active_support/tagged_logging.rb:39 tagged
lib/active_support/tagged_logging.rb:139 tagged
lib/active_support/broadcast_logger.rb:241 method_missing
lib/rails/rack/logger.rb:24 call
vendor/plugins/openproject-multitenancy/lib/multitenancy/elevators/mapped_domain_elevator.rb:106 block in call_tenant
lib/apartment/adapters/abstract_adapter.rb:85 switch
/usr/local/lib/ruby/3.3.0/forwardable.rb:240 switch
vendor/plugins/openproject-multitenancy/lib/multitenancy/elevators/mapped_domain_elevator.rb:103 call_tenant
vendor/plugins/openproject-multitenancy/lib/multitenancy/elevators/mapped_domain_elevator.rb:69 try_tenant
vendor/plugins/openproject-multitenancy/lib/multitenancy/elevators/mapped_domain_elevator.rb:39 call
lib/sprockets/rails/quiet_assets.rb:15 block in call
lib/active_support/logger_silence.rb:18 block in silence
lib/active_support/logger_thread_safe_level.rb:45 log_at
lib/active_support/logger_silence.rb:18 silence
lib/sprockets/rails/quiet_assets.rb:15 call
lib/action_dispatch/middleware/remote_ip.rb:92 call
lib/request_store/middleware.rb:19 call
lib/action_dispatch/middleware/request_id.rb:28 call
lib/rack/method_override.rb:24 call
lib/rack/runtime.rb:22 call
lib/rack/timeout/core.rb:154 block in call
lib/rack/timeout/support/timeout.rb:19 timeout
lib/rack/timeout/core.rb:153 call
lib/active_support/cache/strategy/local_cache_middleware.rb:29 call
lib/action_dispatch/middleware/executor.rb:14 call
lib/action_dispatch/middleware/static.rb:25 call
lib/rack/sendfile.rb:110 call
lib/action_dispatch/middleware/ssl.rb:79 call
lib/secure_headers/middleware.rb:11 call
lib/rails/engine.rb:536 call
lib/rack/protection/frame_options.rb:33 call
lib/rack/protection/json_csrf.rb:28 call
lib/rack/urlmap.rb:74 block in call
lib/rack/urlmap.rb:58 each
lib/rack/urlmap.rb:58 call
lib/puma/configuration.rb:272 call
lib/puma/request.rb:100 block in handle_request
lib/puma/thread_pool.rb:378 with_force_shutdown
lib/puma/request.rb:99 handle_request
lib/puma/server.rb:464 process_client
lib/puma/server.rb:245 block in run
lib/puma/thread_pool.rb:155 block in spawn_thread
```
### Additional notes:
Probably, it is related to recent changes to csp policy in OP application. If you open not found route you'll see that javascript can not be loaded:
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/190599/content">
While in an old version of OP(DeutscheBahn stage) the issue is absent, DB stage:
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/190600/content">