Can you produce browser log?
How do I do that? I’m using firefox.
Don’t know what happend but when I was reloading the page everything worked as normal again.
I’ll run the network monitor if I stuble over the issue again.
Maybe it was only cached your prev configuration. I recommend you use + it wil reload page without using local cache.
EDIT: And I don’t know default configuration of FF but mostly all browser disable cache when developer panel is opened.
1 Like
Hotfix for mp4 file playback on SeaHub
Header always set Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://*.<yourdomain>.<tld>/ blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://*.<yourdomain>.<tld>; object-src 'none'; frame-ancestors https://*.<yourdomain>.<tld>/; base-uri https://*.<yourdomain>.<tld>/ 'self'; media-src 'self';"
2 Likes
Works greate, thanks!
Sorry if this is late, but just wanted to add to the discussion. Here’s an open source Unix security checking tool:
https://cisofy.com/lynis/
Found a lot of things to fix in my server config this way.
1 Like
After updating to 6.2.3 I can’t copy or move files trough webbrowser anymore it’s the same as before it just loading.
But if I # the line it works create.
Here is my SCP, have I done anything wrong?
add_header Content-Security-Policy “default-src ‘none’; script-src http://seafile.com/ https://www.seafile.com/ https://.nohatech.se/ blob: ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’; font-src data: ‘self’; connect-src ‘self’; style-src ‘self’ ‘unsafe-inline’; frame-src https://.nohatech.se; object-src ‘none’; frame-ancestors https://.nohatech.se/; base-uri https://.nohatech.se/ ‘self’; media-src ‘self’;” always;
It looks good. I tried that and my copy/move working greate. I only found problem in PDF viewer that there is problem with blob image so a added blob: to image-src section. Try open developers console a make copy/move operation. Browser will say you what’s wrong
1 Like
Can you write the blob: in my line so it’s correct?
I can’t get it to work for some reason.
Here is the error from copy and move.
Content Security Policy: Directive ‘frame-src’ has been deprecated. Please use directive ‘child-src’ instead. Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://cloud.xxx.se/a1bc7f2d-249a-466b-9a68-f717b838feba (“default-src 'none'”).
Don’t know if it’s help you. Chrome say you which directive tried to use (img-src for example)
add_header Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://*.nohatech.se/ blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' blob:; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; child-src https://*.nohatech.se; object-src 'none'; frame-ancestors https://*.nohatech.se/; base-uri https://*.nohatech.se/ 'self'; media-src 'self';" always;
Hello there,
I’m currently hardening my seafile server and use mozilla observatory as a benchmark. Unfortunately I’m only achieving a C+. Is anyone getting better results?
I use the CSP settings from @holantomas but those are deemed unsafe because of the use of “unsafe-inline” and ‘unsafe-eval’ in the script-src section. Is anyone aware of better/safer settings?
Additionally I am getting minus points because “Anti-CSRF tokens set without using the SameSite flag”. I added the secure flag using nginx “proxy_cookie_path” to all cookies but unfortunately that doesn’t seem to be enough. Are there any ideas how to improve my score?
It’s a little bit longer you wrote, but i want again push this topic. I get B+ as best result in Mozilla Observatory.
Additionally I am getting minus points because “Anti-CSRF tokens set without using the SameSite flag”. I added the secure flag using nginx “proxy_cookie_path” to all cookies but unfortunately that doesn’t seem to be enough. Are there any ideas how to improve my score?
You als have to set the “SameSite” flag like its explained in the text of the scanner.
Here “SameSite=strict” is used, i did only add a “SameSite=Lax” to the headers - dont know if “strict” is break Seafile.
Edit: I think it’s a new criteria on the scanner. I haven’t changed anything on my webserver but I have gotten a lower grade.
I’m also very much interested in a better CSP. Are there any suggestions of somebody?
2 Likes
That’s funny cause. If you use my settings you will get better points, but it’s whole change. Theres inline scripts, style and source like base64 files. So if you block it over CSP, then some parts just stop working (PDF viewer for example). My settings just adding part which CSP validator say, they are missing.
For everyone:
Until seafile developers change inline styles, JS scripts and blob sources to something more safe, you have to have unsafe-inline. Ignoring this settings is just same as you have this in your settings and different are in points in validator.
Devs, can we get an update on this? I can’t get past a B+ on Mozilla Observatory.
Edit: running CE 7.0.4
3 Likes
bump, bump
Bumpty bump …
1 Like
Did somebody dig around and find some safer way for the new seafile versions to establish a CSP?
Does anyone have an Nginx config that will get Seafile 10.X at least a B on Mozilla Observatory? -Thanks