google-chromeflaskfirefoxcontent-security-policymobile-browser

Flask App Displays on Desktop Browsers, but Not in Android Mobile Browsers Due To Content Security Policy


I have a very simple flask 2.x app running on my local network through Apache 2.4.41 that displays in a desktop browser (Chrome 108.0.5359.98 and Firefox 107.0) using the address 192.168.25.15. I am also able to access the site using the Flask web server/debugger in a desktop browser. I then tried to access the site on my Android browser (Chrome 108.0.5359.79 and Firefox 107.2.0) and all I get is a Google search page or a ERR_CONNECTION_TIMED_OUT.

I was able to get the USB debugging working on Firefox, and accessing the website times out with this error:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”).

If I am interpreting the error messages correctly, the error is occurring at line 77, which has this code:

<input type="checkbox" value="remember-me"> Remember me

The page is a login page.

Here is the full page:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta name="description" content="">
    <meta name="author" content="Mark Otto, Jacob Thornton, and Bootstrap contributors">
    <meta name="generator" content="Hugo 0.88.1">
    <meta http-equiv="Content-Security-Policy" content="default-src 'self';  child-src 'none';" />
    <title>Rocket Launcher Signin</title>      

    <!-- Bootstrap core CSS -->
<link rel="stylesheet" href="{{ url_for('static', filename='bootstrap.css') }}">

    <!-- Favicons -->
<link rel="shortcut icon" href="{{ url_for('static', filename='favicon.ico', type='image/x-icon') }}" />
    
    <!-- Custom styles for this template -->
    <link rel="stylesheet" href="{{ url_for('static', filename='signin.css') }}">
  </head>
  <body class="text-center">
    
<main class="form-signin">
  <form method="post" action="{{ url_for('auth.login') }}">
    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
    <a href="{{ url_for('auth.login') }}"><img class="mb-4" src="{{url_for('static', filename='logo.png')}}" alt="" width="60"></a>
    <h1 class="h3 mb-3 fw-normal">Please sign in</h1>


      {% for message in get_flashed_messages() %}
        <div class="flash text-danger fw-bold">{{ message }}</div>
      {% endfor %}

    <div class="form-floating">
      <input name='username' type="text" class="form-control" id="floatingInput" placeholder='joe'>
      <label for="floatingInput">User name</label>
    </div>
    <div class="form-floating">
      <input type="password" class="form-control" id="floatingPassword" placeholder="Password" name='password'>
      <label for="floatingPassword">Password</label>
    </div>

    <div class="checkbox mb-3">
      <label>
        <input type="checkbox" value="remember-me"> Remember me
      </label>
    </div>
    <button class="w-100 btn btn-lg btn-primary" type="submit">Sign in</button>
    <p class="mt-5 mb-3 text-muted">&copy; {{ copyright_years }} Phillips Marketing, Inc. All rights reserved.</p>
  </form>
</main>
  </body>
</html>
 

I also tried removing the line

<meta http-equiv="Content-Security-Policy" content="default-src 'self';  child-src 'none';" />

and it made no difference.

For my application, do I really need a Content Security Policy? The site will be running in Apache on a Pi Zero acting as a WiFi AP in the middle of a large field where we launch rockets. The only user will be me - the web site is used to control a rocket launcher 25 feet away.

Any ideas on how to access the site on my Android browsers?


Solution

  • Not sure this is the best answer, but I was able to load my web site on a mobile browser when I changed the Flask setting SESSION_COOKIE_SECURE from True to False. The documentation for Flask 2.2.x says that SESSION_COOKIE_SECURE=True limits cookies to only HTTPS traffic. Since my site does not use HTTPS, I guess the CSRF cookie was not being transmitted and the site loading timed out?