Nginx, seafile and Content-Security-Policy

IssueFindings · July 12, 2017, 2:27pm

Hello,

In the file configuration /etc/nginx/sites-available/seafile.conf I add add_header Content-Security-Policy "default-src https://mywebsite:443 ";

With this parameter, I can’t no more finalize my user connexion. I mean only the header of my welcome page (after the connexion page) is displayed. Not the content with my left column and the central one with my libraries. Why I need elements from another website than MY website (because this is the reason why I can’t download my welcome page) ? How I can fix it ?

Have a nice day.

Garfield · July 14, 2017, 7:46am

Hey,

try this:

add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob:";

‘self’ is like https://mywebsite:443’, ‘unsafe-inline’ allows all scripts embedded on the loaded html-page and ‘unsafe-eval’ allows the use of eval-functions to process js-content loaded from the server.

See more here.

When you use collabora on your own server, you need to add the collabora host to the csp header:

add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https://collabora.mywebsite:443";

But in the browser console the following message occures:

'postMessage' konnte auf 'DOMWindow' nicht ausgeführt werden: Der angegebene Ziel-Ursprung (origin - 'http://mywebsite') stimmt nicht mit dem Empfängerfenster-Ursprung überein ('https://mywebsite').

It seems like collabora tries to access something via http while it is forbidden.

Regards

IssueFindings · July 15, 2017, 9:41am

Many thanks for your answer ! That works
I put : add_header Content-Security-Policy "default-src https://mywebsite:443 'unsafe-inline' 'unsafe-eval'";

Just a question, keywords ‘unsafe-inline’ and ‘unsafe-eval’ will not permit to load contents from another website than mine ? I really want to force data only comes from my website.

Have a nice day.

Garfield · July 16, 2017, 9:23am

I’m not sure with it but I’d imagine that if the in-line or eval Javascript tells the browser to load content from a different site that the new resource is not allowed by csp and therfore it will be blocked.
Perhaps you could test it by injecting some code to the template files?

Garfield · July 17, 2017, 1:32pm

I just found a csp header building tool and a corrosponding validator. The validator tells that the posted header string is incorrect.
It should be this

default-src 'self' data: blob:; script-src 'self' data: 'unsafe-inline' 'unsafe-eval'

I also added blob: which is neccessary to load the file move dialog of seafile.
Sadly I couldn’t test it now.

IssueFindings · July 18, 2017, 6:12pm

Hello,

Many thanks for the 2 websites. You are true, the validator website rejects my code. But if I put default-src https://website:443 unsafe-inline unsafe-eval the validator validates (sorry for this play on words ). I don’t understand why…

Moreover, based on this website it appears that the CSP is correct. I’m lost…

Have a nice day.

bionade24 · December 10, 2018, 8:34pm

add_header Content-Security-Policy "default-src 'self' data: blob:; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' blob:";
 add_header Content-Security-Policy "upgrade-insecure-requests; ";

Hi, I have problems, Video on Seahub isn’t working with CSP, up there my configuration. Has anybody a solution?

klangborste · April 13, 2019, 10:38am

A bit late my answer but check: Check security server

bionade24 · April 15, 2019, 10:40am

Thanks, but I already found this and fixed it.