Content-security-policy problem with Custom WebApp

mdic · June 11, 2019, 9:31am

My YunoHost server

Hardware: Online VPS
YunoHost version: 3.5.2.2
I have access to my server : Through SSH; through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no & yes
If yes, please explain: as explained further below, I have tried to tweak the nginx’s host configuration to solve the issue, but with no luck

Description of my issue

First of all, hi everyone; I’m new to the forum, and a new Yunohost user - which I had been looking at for a while, and only recently decided to try.

Everything is working perfectly, apart from a static website I am hosting through the Custom Webapp. I have created my website using Hugo + Academic Theme (I am going to write a post on Academic Theme’s forum as well to describe the same problem, as I’m not sure what is the cause of the issue), and my browser does not load the required scripts - including yunohost’s /ynhtheme/custom_portal.js and ynh_portal.js. The errors I get from Firefox console are:

Content Security Policy: This site (https://DOMAIN.LTD) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy.
Loading failed for the <script> with source “https://DOMAIN.LTD/ynh_portal.js”.
site:143
Loading failed for the <script> with source “https://DOMAIN.LTD/ynhtheme/custom_portal.js”.
site:143
Loading failed for the <script> with source “https://DOMAIN.LTD/js/academic.min.9ef1b53ee2bde6c7f33b150c6ba4d452.js”.

I have never worked with content-security-policy before, so I had a look online and then found the relevant conf file under /etc/nginx/conf.d/DOMAIN.LTD.confwhere the following lines are present:

more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "X-XSS-Protection : 1; mode=block";
more_set_headers "X-Download-Options : noopen";
more_set_headers "X-Permitted-Cross-Domain-Policies : none";
more_set_headers "X-Frame-Options : SAMEORIGIN";

I have therefore embarked on a long journey to try and modify the CSP-related lines so as to make my site work, but no luck at all. I have tried pretty much everything, including allowing (almost) everything. My latest attempt was replacing the third line above with what follows (one at a time, and the both together):

more_set_headers "Content-Security-Policy : script-src 'self' https://DOMAIN.LTD https://cdnjs.cloudflare.com https://DOMAIN.LTD/ynh_portal.js";
more_set_headers "Content-Security-Policy: default-src 'self' *.fontawesome.com *.cloudflare.com https://DOMAIN.LTD ;style-src 'self' https: 'unsafe-inline'; script-src https: 'self' https://DOMAIN.LTD";

but not only the Custom Webapp still gives problems, but then also the other apps and the ynh webadmin wouldn’t work properly.

Any ideas on how to solve the problem?
Many thanks in advance, and if more details are needed I’m happy to provide them.

Aleks · June 11, 2019, 11:00am

Hmmm I think you should forget about the CSP thing, imho it’s not what’s the actual issue … I know this stuff is confusing (because I got confused by it before) but as the message states, the setting is in Report-Only . So it’s not what’s actually blocking the JS from loading.

Instead, I would try to access https://DOMAIN.LTD/js/academic.min.9ef1b53ee2bde6c7f33b150c6ba4d452.js directly and try to understand why it ain’t loading properly using Firefox Network debugger

mdic · June 12, 2019, 9:09am

Many thanks @Aleks for the quick reply and for the details.
I’ve followed your suggestion, and if I navigate to the .js address while not logged into ynh, I am redirected to the SSOwat login page; otherwise I get redirected to my user dashboard. The same thing happens with the ynh scripts ynh_portal.js and ynhtheme/custom_portal.js.

I have therefore disabled (from the site’s nginx conf file) the ynh logo (as I won’t need it on my main webpage), but obviously the problem remains with the academic .js file.
Firefox console message is as follows:
Loading failed for the <script> with source “https://DOMAIN.LTD/js/academic.min.9ef1b53ee2bde6c7f33b150c6ba4d452.js”.

so, as I think you suspected, I feel it’s a permission problem with nginx. Any ideas on how to solve this, maybe through ynh directly? I’d like to avoid making custom modification which will (maybe) be overwritten when upgrading.
Thanks in advance to anyone who can help.

mdic · June 12, 2019, 2:05pm

Quick addition: I’ve been fiddling a bit with the server, and I have now seen that all the static files (js, images, etc…) of the Custom Webapp redirect to the ynh portal, with a 302 code.
I’m now fairly convinced this has to do with the way the Custom Webapp is configured, but I can’t find a way to fix this.

mdic · June 13, 2019, 3:20pm

I have finally managed to solve the problem, and I must admit that it was a very stupid issue - I am almost embarassed to explain it, but here it goes.
The whole mess was caused by a wrong relative path in the website’s pages which, instead of pointing to DOMAIN.LTD/site/js/ was pointing to DOMAIN.LTD/js/

Many thanks for your patience, and sorry for the waste of time.
ps. the more I use yunohost, the more I like it even though I still have to get acquainted with it!

system · June 28, 2019, 3:20pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.