Check security server


#21

Did you figure it out? :slight_smile:


#22

After alot(really alot) of hours googling, testing I’m pretty sure it’s seafile problem. There’s problem about Cookies. When you setup Cookie secure flag then in every form send (over api?) is not presented CSRF token. And I cannot to make some workaround.

I created issue on github and create topic for this bug … see below


#23

Ok, I miss understand what cookie flag HttpOnly doing. And it’s wrong configured. So last version of apache setup is.

        Header edit Set-Cookie ^(.*)$ $1;Secure
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
        Header always set X-Content-Type-Options nosniff
        Header always set X-XSS-Protection "1; mode=block"
        Header always set X-Frame-Options SAMEORIGIN
        Header always set Referrer-Policy "strict-origin"
        Header always set Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://*.<yourdomain>.<tld>/ blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://*.<yourdomain>.<tld>; object-src 'none'; frame-ancestors https://*.<yourdomain>.<tld>/; base-uri https://*.<yourdomain>.<tld>/ 'self';


#24

So regarding that line, is the bug fixed in that? The old one are blocking the move option in the webbgui. I don’t know if you have change anything in that line as I’m not at the server right now.


#25

That was first problem which was solved by adding blob: to Content-Security-Policy

But there were second problem with CSRF. It’s fixed by Header edit Set-Cookie ^(.*)$ $1;Secure there is removed HttpOnly flag.


#26

I’ve removed the preload option from your post. It can be quite harmful.

See https://hstspreload.org/#opt-in


#27

Sorry I copied it from my conf. But preload flag do nothing. It’s nessesary for HSTS Preload service, but you have to submit your domain to this service (on page you post). So if you don’t submit then is this flag unused.


#28

In case the header is set, anyone can add your domain to the preload list.


#29

Hi,
I still have the issue when I’m opening the move option in webgui it’s just loading, the same for the copy option.
I have this in my CSP have I done something wrong?

"default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://*.<yourdomain>.<tld>/ blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://*.<yourdomain>.<tld>; object-src 'none'; frame-ancestors https://*.<yourdomain>.<tld>/; base-uri https://*.<yourdomain>.<tld>/ 'self'


#30

Can you produce browser log?


#31

How do I do that? I’m using firefox.


#32

#33

Don’t know what happend but when I was reloading the page everything worked as normal again.
I’ll run the network monitor if I stuble over the issue again.


#34

Maybe it was only cached your prev configuration. I recommend you use + it wil reload page without using local cache.

EDIT: And I don’t know default configuration of FF but mostly all browser disable cache when developer panel is opened.


#35

Hotfix for mp4 file playback on SeaHub

Header always set Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://*.<yourdomain>.<tld>/ blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://*.<yourdomain>.<tld>; object-src 'none'; frame-ancestors https://*.<yourdomain>.<tld>/; base-uri https://*.<yourdomain>.<tld>/ 'self'; media-src 'self';"

Content Security Policy (CSP) header setting for Seafile?
Content Security Policy (CSP)
Content Security Policy
#36

Works greate, thanks!


#37

Sorry if this is late, but just wanted to add to the discussion. Here’s an open source Unix security checking tool:
https://cisofy.com/lynis/

Found a lot of things to fix in my server config this way.


#38

After updating to 6.2.3 I can’t copy or move files trough webbrowser anymore it’s the same as before it just loading.
But if I # the line it works create.

Here is my SCP, have I done anything wrong?

add_header Content-Security-Policy “default-src ‘none’; script-src http://seafile.com/ https://www.seafile.com/ https://.nohatech.se/ blob: ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’; font-src data: ‘self’; connect-src ‘self’; style-src ‘self’ ‘unsafe-inline’; frame-src https://.nohatech.se; object-src ‘none’; frame-ancestors https://.nohatech.se/; base-uri https://.nohatech.se/ ‘self’; media-src ‘self’;” always;


#39

It looks good. I tried that and my copy/move working greate. I only found problem in PDF viewer that there is problem with blob image so a added blob: to image-src section. Try open developers console a make copy/move operation. Browser will say you what’s wrong


#40

Can you write the blob: in my line so it’s correct?
I can’t get it to work for some reason.

Here is the error from copy and move.

Content Security Policy: Directive ‘frame-src’ has been deprecated. Please use directive ‘child-src’ instead.
Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://cloud.xxx.se/a1bc7f2d-249a-466b-9a68-f717b838feba (“default-src 'none'”).