Hello,
In the file configuration /etc/nginx/sites-available/seafile.conf I add add_header Content-Security-Policy "default-src https://mywebsite:443 ";
With this parameter, I can’t no more finalize my user connexion. I mean only the header of my welcome page (after the connexion page) is displayed. Not the content with my left column and the central one with my libraries. Why I need elements from another website than MY website (because this is the reason why I can’t download my welcome page) ? How I can fix it ?
Have a nice day.
Hey,
try this:
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob:";
‘self’ is like https://mywebsite:443’, ‘unsafe-inline’ allows all scripts embedded on the loaded html-page and ‘unsafe-eval’ allows the use of eval-functions to process js-content loaded from the server.
See more here.
When you use collabora on your own server, you need to add the collabora host to the csp header:
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https://collabora.mywebsite:443";
But in the browser console the following message occures:
'postMessage' konnte auf 'DOMWindow' nicht ausgeführt werden: Der angegebene Ziel-Ursprung (origin - 'http://mywebsite') stimmt nicht mit dem Empfängerfenster-Ursprung überein ('https://mywebsite').
It seems like collabora tries to access something via http while it is forbidden.
Regards
1 Like
Many thanks for your answer ! That works 
I put : add_header Content-Security-Policy "default-src https://mywebsite:443 'unsafe-inline' 'unsafe-eval'";
Just a question, keywords ‘unsafe-inline’ and ‘unsafe-eval’ will not permit to load contents from another website than mine ? I really want to force data only comes from my website.
Have a nice day.
I’m not sure with it but I’d imagine that if the in-line or eval Javascript tells the browser to load content from a different site that the new resource is not allowed by csp and therfore it will be blocked.
Perhaps you could test it by injecting some code to the template files?
I just found a csp header building tool and a corrosponding validator. The validator tells that the posted header string is incorrect.
It should be this
default-src 'self' data: blob:; script-src 'self' data: 'unsafe-inline' 'unsafe-eval'
I also added blob: which is neccessary to load the file move dialog of seafile.
Sadly I couldn’t test it now.
Hello,
Many thanks for the 2 websites. You are true, the validator website rejects my code. But if I put default-src https://website:443 unsafe-inline unsafe-eval
the validator validates (sorry for this play on words
). I don’t understand why…
Moreover, based on this website it appears that the CSP is correct. I’m lost…
Have a nice day.
add_header Content-Security-Policy "default-src 'self' data: blob:; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' blob:";
add_header Content-Security-Policy "upgrade-insecure-requests; ";
Hi, I have problems, Video on Seahub isn’t working with CSP, up there my configuration. Has anybody a solution?
A bit late my answer but check: Check security server
Thanks, but I already found this and fixed it.
1 Like