Content Security Policy issue

Discussion in 'Developers' Forum' started by Hans Desjarlais, Jan 23, 2022.

Tags:
  1. Hans Desjarlais

    Hans Desjarlais New Member

    The module we are building loads images from our AWS CloudFront distribution inside the main module page.
    The images are not appearing and I'm getting the following error message in the console.
    Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src 'self' data:"
    Is this something which is a server configuration specific to ISPConfig 3 or could it be a AWS CF setting I need to setup?
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Sounds like the header sent via the ispconfig vhost, you would have to customize that from the cli. You could probably set that header differently for locations that begin with your module's path.
     
  3. Hans Desjarlais

    Hans Desjarlais New Member

    @Jesse Norell ok, I understand.
    Is that something that could be changed during the installation of the module and would be permanent, or would it be over-written when someone updates ISPConfig?
    Is this the file you're referring to? /usr/local/ispconfig/server/conf/apache_apps.vhost.master
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The ISPConfig vhost is, depending on the OS and web server, e.g. /etc/apache2/sites-available/ispconfig.vhost or /etc/nginx/sites-available/ispconfig.vhost
    The master template for that file is in the ISPConfig tar.gz in the install/tpl/ folder and to make changes update proof, you can copy it to the folder /usr/local/ispconfig/server/conf-custom/install/ But that#s nothing that a module should do, as using such a master template prevents that ISPconfig can update this template in future and many users won't be able to diff and update it on their own.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Instead of loading images from an external CDN on each pageview, you can e.g., write a small PHP script that acts as a proxy and is also able to cache the images locally. Especially as changing the content security policy would weaken the security of the ISPConfig panel.
     
  6. Hans Desjarlais

    Hans Desjarlais New Member

    @till yeah I don't think editing the vhost file would make sense. I will go with your suggestion of using a proxy.
     
  7. Hans Desjarlais

    Hans Desjarlais New Member

    @till How can we include a JS file in the footer of the module page. Do we have to edit the main.tpl.htm file (/usr/local/ispconfig/interface/web/themes/default/templates/main.tpl.htm file) ? We only need our JS file to be loaded in the footer on the module page.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Have you tried to put your js file into interface/web/js/js.d/ folder? I guess it includes in the header, but this might work for your purpose too.
     
  9. Hans Desjarlais

    Hans Desjarlais New Member

    @till The JS file needs to be loaded after the jQuery file is loaded in the footer. So it wouldn't work in the header.
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    I just had a look at the code, the files from js.d folder get included in the footer, so it should be ok.
     
  11. Hans Desjarlais

    Hans Desjarlais New Member

    @till yes, it worked. Thx.
     
  12. Hans Desjarlais

    Hans Desjarlais New Member

    @till sorry, not sure if I should create a new topic but thought I'd ask you in here.
    Is there documentation on getting default account/user values?
    For example:
    $_SESSION['s']['user']['username'] to get the username
    $_SESSION['s']['user']['email'] to get the user's email
    $_SESSION['s']['user']['domains'] to get the user's/account domains
    etc.
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    $_SESSION['s']['user'] contains what you can find in the sys_user table of the database for the currently logged-in user.
     
    ahrasis and Hans Desjarlais like this.

Share This Page