My YunoHost server
Hardware: Online VPS
YunoHost version: 188.8.131.52
I have access to my server : Through SSH; through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no & yes
If yes, please explain: as explained further below, I have tried to tweak the nginx’s host configuration to solve the issue, but with no luck
Description of my issue
First of all, hi everyone; I’m new to the forum, and a new Yunohost user - which I had been looking at for a while, and only recently decided to try.
Everything is working perfectly, apart from a static website I am hosting through the Custom Webapp. I have created my website using Hugo + Academic Theme (I am going to write a post on Academic Theme’s forum as well to describe the same problem, as I’m not sure what is the cause of the issue), and my browser does not load the required scripts - including yunohost’s
ynh_portal.js. The errors I get from Firefox console are:
Content Security Policy: This site (https://DOMAIN.LTD) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy. Loading failed for the <script> with source “https://DOMAIN.LTD/ynh_portal.js”. site:143 Loading failed for the <script> with source “https://DOMAIN.LTD/ynhtheme/custom_portal.js”. site:143 Loading failed for the <script> with source “https://DOMAIN.LTD/js/academic.min.9ef1b53ee2bde6c7f33b150c6ba4d452.js”.
I have never worked with content-security-policy before, so I had a look online and then found the relevant conf file under
/etc/nginx/conf.d/DOMAIN.LTD.confwhere the following lines are present:
more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; more_set_headers "Content-Security-Policy : upgrade-insecure-requests"; more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'"; more_set_headers "X-Content-Type-Options : nosniff"; more_set_headers "X-XSS-Protection : 1; mode=block"; more_set_headers "X-Download-Options : noopen"; more_set_headers "X-Permitted-Cross-Domain-Policies : none"; more_set_headers "X-Frame-Options : SAMEORIGIN";
I have therefore embarked on a long journey to try and modify the CSP-related lines so as to make my site work, but no luck at all. I have tried pretty much everything, including allowing (almost) everything. My latest attempt was replacing the third line above with what follows (one at a time, and the both together):
more_set_headers "Content-Security-Policy : script-src 'self' https://DOMAIN.LTD https://cdnjs.cloudflare.com https://DOMAIN.LTD/ynh_portal.js"; more_set_headers "Content-Security-Policy: default-src 'self' *.fontawesome.com *.cloudflare.com https://DOMAIN.LTD ;style-src 'self' https: 'unsafe-inline'; script-src https: 'self' https://DOMAIN.LTD";
but not only the Custom Webapp still gives problems, but then also the other apps and the ynh webadmin wouldn’t work properly.
Any ideas on how to solve the problem?
Many thanks in advance, and if more details are needed I’m happy to provide them.