~tsileo/microblog.pub#80: 
Content Security Policy errors

I keep getting this error with pretty much any button I try clicking.

Firefox:

Content Security Policy: The page’s settings blocked the loading of a 
resource at http://xxxxxxx.xxx/admin/profile (“form-action”).

Webkit:

Refused to load http://xxxxxxxxxxx/admin/object because it does not 
appear in the form-action directive of the Content Security Policy.

Here's what my reverse proxy set up looks like:

     server {
         listen 443 ssl http2;
         listen [::]:443 ssl http2;
         server_name xxxxxxxxxxxxx;
         client_max_body_size 1G;
         ssl_certificate /etc/ssl/xxxxxxxxxxx.fullchain.cert;
         ssl_certificate_key /etc/ssl/private/xxxxxxxxxxxxxx.key;
         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
         add_header Strict-Transport-Security "max-age=31536000; 
includeSubDomains" always;
         location / {
                 proxy_set_header Host $http_host;
                 proxy_set_header X-Forwarded-For 
$proxy_add_x_forwarded_for;
                 proxy_set_header X-Forwarded-Proto $scheme;
                 proxy_set_header Upgrade $http_upgrade;
                 proxy_set_header Connection $connection_upgrade;
                 proxy_redirect off;
                 proxy_buffering off;
                 proxy_pass http://192.168.1.7:8000;
         }
     }

Any idea as to what's going on? (The x's are, of course, my domain name.)

Status
REPORTED
Submitter
Charadon
Assigned to
No-one
Submitted
2 years ago
Updated
8 months ago
Labels
No labels applied.

~tsileo 2 years ago

Hey,

It looks like you have https = false whereas it should be https = true.

Let me know if that solves your issue, thanks!

Charadon 2 years ago · edit

Unfortunately, https = true is indeed set. Here's my entire config:


domain = "xxxxxxxxxxxxx"
username = "xxxxxxxxxxxxxxxx"
admin_password = "xxxxxxxxxxxxxxxxxxxx"
name = "Charadon"
summary = ""
https = true
icon_url = "https://mb.iotib.net/static/nopic.png"
secret = "xxxxxxxxxxxxxxxxxxxxxxx"

~tsileo 2 years ago

Can you try trusted_hosts = ["*"] in data/profile.toml?

Charadon 2 years ago · edit

On 12/10/22 14:26, ~tsileo wrote:

trusted_hosts = ["*"] Well, that fixed it! I wonder if this had to do with the fact I had to change the supervisord config to use 192.168.1.7 instead of 127.0.0.1 to work with my VPN?

~tsileo 2 years ago

The middleware only trust 127.0.0.1 by default.

I will add this in the doc in the troubleshooting section.

Charadon 2 years ago · edit

On 12/10/22 14:35, ~tsileo wrote:

The middleware only trust 127.0.0.1 by default.

I will add this in the doc in the troubleshooting section.

Should also mention how to change the default IP from 127.0.0.1 while you're at it ;)

~satchlj 8 months ago

had the same issue, trusted_hosts = ["*"] fixed it

Register here or Log in to comment, or comment via email.