Nginx, seafile and Content-Security-Policy


#1

Hello,

In the file configuration /etc/nginx/sites-available/seafile.conf I add add_header Content-Security-Policy "default-src https://mywebsite:443 ";

With this parameter, I can’t no more finalize my user connexion. I mean only the header of my welcome page (after the connexion page) is displayed. Not the content with my left column and the central one with my libraries. Why I need elements from another website than MY website (because this is the reason why I can’t download my welcome page) ? How I can fix it ?

Have a nice day.


#2

Hey,

try this:

add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob:";

‘self’ is like https://mywebsite:443’, ‘unsafe-inline’ allows all scripts embedded on the loaded html-page and ‘unsafe-eval’ allows the use of eval-functions to process js-content loaded from the server.

See more here.

When you use collabora on your own server, you need to add the collabora host to the csp header:

add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https://collabora.mywebsite:443";

But in the browser console the following message occures:

'postMessage' konnte auf 'DOMWindow' nicht ausgeführt werden: Der angegebene Ziel-Ursprung (origin - 'http://mywebsite') stimmt nicht mit dem Empfängerfenster-Ursprung überein ('https://mywebsite').

It seems like collabora tries to access something via http while it is forbidden.

Regards


#3

Many thanks for your answer ! That works :heart_eyes:
I put : add_header Content-Security-Policy "default-src https://mywebsite:443 'unsafe-inline' 'unsafe-eval'";

Just a question, keywords ‘unsafe-inline’ and ‘unsafe-eval’ will not permit to load contents from another website than mine ? I really want to force data only comes from my website.

Have a nice day.


#4

I’m not sure with it but I’d imagine that if the in-line or eval Javascript tells the browser to load content from a different site that the new resource is not allowed by csp and therfore it will be blocked.
Perhaps you could test it by injecting some code to the template files?


#5

I just found a csp header building tool and a corrosponding validator. The validator tells that the posted header string is incorrect.
It should be this

default-src 'self' data: blob:; script-src 'self' data: 'unsafe-inline' 'unsafe-eval'

I also added blob: which is neccessary to load the file move dialog of seafile.
Sadly I couldn’t test it now.


#6

Hello,

Many thanks for the 2 websites. You are true, the validator website rejects my code. But if I put default-src https://website:443 unsafe-inline unsafe-eval the validator validates (sorry for this play on words :grin:). I don’t understand why…

Moreover, based on this website it appears that the CSP is correct. I’m lost…:hushed:

Have a nice day.


#7
add_header Content-Security-Policy "default-src 'self' data: blob:; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' blob:";
 add_header Content-Security-Policy "upgrade-insecure-requests; ";

Hi, I have problems, Video on Seahub isn’t working with CSP, up there my configuration. Has anybody a solution?


#8

A bit late my answer but check: Check security server


#9

Thanks, but I already found this and fixed it.