Check security server

Seafile Server
21

Did you figure it out? :slight_smile:

22

After alot(really alot) of hours googling, testing Iā€™m pretty sure itā€™s seafile problem. Thereā€™s problem about Cookies. When you setup Cookie secure flag then in every form send (over api?) is not presented CSRF token. And I cannot to make some workaround.

I created issue on github and create topic for this bug ā€¦ see below

23

Ok, I miss understand what cookie flag HttpOnly doing. And itā€™s wrong configured. So last version of apache setup is.

        Header edit Set-Cookie ^(.*)$ $1;Secure
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
        Header always set X-Content-Type-Options nosniff
        Header always set X-XSS-Protection "1; mode=block"
        Header always set X-Frame-Options SAMEORIGIN
        Header always set Referrer-Policy "strict-origin"
        Header always set Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://*.<yourdomain>.<tld>/ blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://*.<yourdomain>.<tld>; object-src 'none'; frame-ancestors https://*.<yourdomain>.<tld>/; base-uri https://*.<yourdomain>.<tld>/ 'self';
1 Like
24

So regarding that line, is the bug fixed in that? The old one are blocking the move option in the webbgui. I donā€™t know if you have change anything in that line as Iā€™m not at the server right now.

25

That was first problem which was solved by adding blob: to Content-Security-Policy

But there were second problem with CSRF. Itā€™s fixed by Header edit Set-Cookie ^(.*)$ $1;Secure there is removed HttpOnly flag.

1 Like
26

Iā€™ve removed the preload option from your post. It can be quite harmful.

See https://hstspreload.org/#opt-in

27

Sorry I copied it from my conf. But preload flag do nothing. Itā€™s nessesary for HSTS Preload service, but you have to submit your domain to this service (on page you post). So if you donā€™t submit then is this flag unused.

28

In case the header is set, anyone can add your domain to the preload list.

1 Like
29

Hi,
I still have the issue when Iā€™m opening the move option in webgui itā€™s just loading, the same for the copy option.
I have this in my CSP have I done something wrong?

"default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://*.<yourdomain>.<tld>/ blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://*.<yourdomain>.<tld>; object-src 'none'; frame-ancestors https://*.<yourdomain>.<tld>/; base-uri https://*.<yourdomain>.<tld>/ 'self'

30

Can you produce browser log?

31

How do I do that? Iā€™m using firefox.

32
33

Donā€™t know what happend but when I was reloading the page everything worked as normal again.
Iā€™ll run the network monitor if I stuble over the issue again.

34

Maybe it was only cached your prev configuration. I recommend you use + it wil reload page without using local cache.

EDIT: And I donā€™t know default configuration of FF but mostly all browser disable cache when developer panel is opened.

1 Like
35

Hotfix for mp4 file playback on SeaHub

Header always set Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://*.<yourdomain>.<tld>/ blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://*.<yourdomain>.<tld>; object-src 'none'; frame-ancestors https://*.<yourdomain>.<tld>/; base-uri https://*.<yourdomain>.<tld>/ 'self'; media-src 'self';"
2 Likes
36

Works greate, thanks!

37

Sorry if this is late, but just wanted to add to the discussion. Hereā€™s an open source Unix security checking tool:
https://cisofy.com/lynis/

Found a lot of things to fix in my server config this way.

1 Like
38

After updating to 6.2.3 I canā€™t copy or move files trough webbrowser anymore itā€™s the same as before it just loading.
But if I # the line it works create.

Here is my SCP, have I done anything wrong?

add_header Content-Security-Policy ā€œdefault-src ā€˜noneā€™; script-src http://seafile.com/ https://www.seafile.com/ https://.nohatech.se/ blob: ā€˜selfā€™ ā€˜unsafe-inlineā€™ ā€˜unsafe-evalā€™; img-src ā€˜selfā€™; font-src data: ā€˜selfā€™; connect-src ā€˜selfā€™; style-src ā€˜selfā€™ ā€˜unsafe-inlineā€™; frame-src https://.nohatech.se; object-src ā€˜noneā€™; frame-ancestors https://.nohatech.se/; base-uri https://.nohatech.se/ ā€˜selfā€™; media-src ā€˜selfā€™;ā€ always;

39

It looks good. I tried that and my copy/move working greate. I only found problem in PDF viewer that there is problem with blob image so a added blob: to image-src section. Try open developers console a make copy/move operation. Browser will say you whatā€™s wrong

1 Like
40

Can you write the blob: in my line so itā€™s correct?
I canā€™t get it to work for some reason.

Here is the error from copy and move.

Content Security Policy: Directive ā€˜frame-srcā€™ has been deprecated. Please use directive ā€˜child-srcā€™ instead.
Content Security Policy: The pageā€™s settings blocked the loading of a resource at blob:https://cloud.xxx.se/a1bc7f2d-249a-466b-9a68-f717b838feba (ā€œdefault-src 'none'ā€).