Did you figure it out?
After alot(really alot) of hours googling, testing Iām pretty sure itās seafile problem. Thereās problem about Cookies. When you setup Cookie secure
flag then in every form send (over api?) is not presented CSRF token. And I cannot to make some workaround.
I created issue on github and create topic for this bug ā¦ see below
Ok, I miss understand what cookie flag HttpOnly
doing. And itās wrong configured. So last version of apache setup is.
Header edit Set-Cookie ^(.*)$ $1;Secure
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always set X-Content-Type-Options nosniff
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options SAMEORIGIN
Header always set Referrer-Policy "strict-origin"
Header always set Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://*.<yourdomain>.<tld>/ blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://*.<yourdomain>.<tld>; object-src 'none'; frame-ancestors https://*.<yourdomain>.<tld>/; base-uri https://*.<yourdomain>.<tld>/ 'self';
So regarding that line, is the bug fixed in that? The old one are blocking the move option in the webbgui. I donāt know if you have change anything in that line as Iām not at the server right now.
That was first problem which was solved by adding blob:
to Content-Security-Policy
But there were second problem with CSRF. Itās fixed by Header edit Set-Cookie ^(.*)$ $1;Secure
there is removed HttpOnly
flag.
Iāve removed the preload option from your post. It can be quite harmful.
Sorry I copied it from my conf. But preload
flag do nothing. Itās nessesary for HSTS Preload service, but you have to submit your domain to this service (on page you post). So if you donāt submit then is this flag unused.
In case the header is set, anyone can add your domain to the preload list.
Hi,
I still have the issue when Iām opening the move option in webgui itās just loading, the same for the copy option.
I have this in my CSP have I done something wrong?
"default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://*.<yourdomain>.<tld>/ blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://*.<yourdomain>.<tld>; object-src 'none'; frame-ancestors https://*.<yourdomain>.<tld>/; base-uri https://*.<yourdomain>.<tld>/ 'self'
Can you produce browser log?
How do I do that? Iām using firefox.
Donāt know what happend but when I was reloading the page everything worked as normal again.
Iāll run the network monitor if I stuble over the issue again.
Maybe it was only cached your prev configuration. I recommend you use + it wil reload page without using local cache.
EDIT: And I donāt know default configuration of FF but mostly all browser disable cache when developer panel is opened.
Hotfix for mp4 file playback on SeaHub
Header always set Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://*.<yourdomain>.<tld>/ blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://*.<yourdomain>.<tld>; object-src 'none'; frame-ancestors https://*.<yourdomain>.<tld>/; base-uri https://*.<yourdomain>.<tld>/ 'self'; media-src 'self';"
Works greate, thanks!
Sorry if this is late, but just wanted to add to the discussion. Hereās an open source Unix security checking tool:
https://cisofy.com/lynis/
Found a lot of things to fix in my server config this way.
After updating to 6.2.3 I canāt copy or move files trough webbrowser anymore itās the same as before it just loading.
But if I # the line it works create.
Here is my SCP, have I done anything wrong?
add_header Content-Security-Policy ādefault-src ānoneā; script-src http://seafile.com/ https://www.seafile.com/ https://.nohatech.se/ blob: āselfā āunsafe-inlineā āunsafe-evalā; img-src āselfā; font-src data: āselfā; connect-src āselfā; style-src āselfā āunsafe-inlineā; frame-src https://.nohatech.se; object-src ānoneā; frame-ancestors https://.nohatech.se/; base-uri https://.nohatech.se/ āselfā; media-src āselfā;ā always;
It looks good. I tried that and my copy/move working greate. I only found problem in PDF viewer that there is problem with blob image so a added blob:
to image-src
section. Try open developers console a make copy/move operation. Browser will say you whatās wrong
Can you write the blob: in my line so itās correct?
I canāt get it to work for some reason.
Here is the error from copy and move.
Content Security Policy: Directive āframe-srcā has been deprecated. Please use directive āchild-srcā instead. Content Security Policy: The pageās settings blocked the loading of a resource at blob:https://cloud.xxx.se/a1bc7f2d-249a-466b-9a68-f717b838feba (ādefault-src 'none'ā).