- Posts: 13
- Thank you received: 1
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
Content Security Policy help
- jlhollowell
- Offline
- New Member
Less
More
2 years 9 months ago #218292
by jlhollowell
Replied by jlhollowell on topic Content Security Policy help
Hello,
I'm new to the forums here and relatively new to Limesurvey. I've setup an instance running with Nginx and just discovered, when attempting to set up a content security policy header, that the basic header breaks Limesurvey...or at least the admin login page. I searched around trying to find some documentation here and this is where I ended up.
I guess I need to add to this:
add_header Content-Security-Policy "default-src 'self';" always;
Thanks in advance for any help available.
Cheers
Jason
I'm new to the forums here and relatively new to Limesurvey. I've setup an instance running with Nginx and just discovered, when attempting to set up a content security policy header, that the basic header breaks Limesurvey...or at least the admin login page. I searched around trying to find some documentation here and this is where I ended up.
I guess I need to add to this:
add_header Content-Security-Policy "default-src 'self';" always;
Thanks in advance for any help available.
Cheers
Jason
The topic has been locked.
- jcarberry
- Offline
- New Member
Less
More
- Posts: 10
- Thank you received: 2
2 years 9 months ago #218294
by jcarberry
Replied by jcarberry on topic Content Security Policy help
Have you tried:
1. configuring CSP to send a report when there are infractions of the policy?
2. checking the browser console for any CSP errors?
With those two tools and visiting every possible page you should be able to detect what you wish to permit in your CSP.
Best to do this without any extensions in your browser, as some of them can inject code in the pages that might trigger CSP errors.
1. configuring CSP to send a report when there are infractions of the policy?
2. checking the browser console for any CSP errors?
With those two tools and visiting every possible page you should be able to detect what you wish to permit in your CSP.
Best to do this without any extensions in your browser, as some of them can inject code in the pages that might trigger CSP errors.
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13693
- Thank you received: 2500
2 years 9 months ago #218295
by DenisChenu
Clearly written "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';
Some post before.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic Content Security Policy help
Did you read the topic ?Hello,
I'm new to the forums here and relatively new to Limesurvey. I've setup an instance running with Nginx and just discovered, when attempting to set up a content security policy header, that the basic header breaks Limesurvey...or at least the admin login page. I searched around trying to find some documentation here and this is where I ended up.
I guess I need to add to this:
add_header Content-Security-Policy "default-src 'self';" always;
Thanks in advance for any help available.
Cheers
Jason
Clearly written "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';
Some post before.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
- jlhollowell
- Offline
- New Member
Less
More
- Posts: 13
- Thank you received: 1
2 years 9 months ago #218299
by jlhollowell
Replied by jlhollowell on topic Content Security Policy help
Denis,
Thanks for the reply. No, unfortunately, I didn't/don't see the line you are referring to...I see the following:
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
Which Nginx does not like and I see a subsequent message that you posted "Seems we need the 'unsafe-eval' … for public part" but the line you provided here " "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" I don't find. Maybe it was deleted...? Or possibly I was supposed to parse it from the longer line I pasted above. Sorry, I'm relatively new to Nginx as well as to Content Security Policy headers...I'll get there but will probably irritate a few people along the way...not by intention of course.
At any rate, I will give it a try and hope for the best.
Regards
Thanks for the reply. No, unfortunately, I didn't/don't see the line you are referring to...I see the following:
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
Which Nginx does not like and I see a subsequent message that you posted "Seems we need the 'unsafe-eval' … for public part" but the line you provided here " "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" I don't find. Maybe it was deleted...? Or possibly I was supposed to parse it from the longer line I pasted above. Sorry, I'm relatively new to Nginx as well as to Content Security Policy headers...I'll get there but will probably irritate a few people along the way...not by intention of course.
At any rate, I will give it a try and hope for the best.
Regards
The topic has been locked.
- NPEUWebmaster
- Topic Author
- Offline
- New Member
Less
More
- Posts: 7
- Thank you received: 3
2 years 9 months ago #218302
by NPEUWebmaster
Replied by NPEUWebmaster on topic Content Security Policy help
Hi,
CSP I came up with was for Apache - I'm not familiar with Nginx either I'm afraid.
The CSP info mostly came from h5bp / server-configs-apache
There's an Nginx equivalent but the CSP info seems lacking. Not sure if it's helpful.
Also see the section I added to the wiki
Thanks,
Andy
CSP I came up with was for Apache - I'm not familiar with Nginx either I'm afraid.
The CSP info mostly came from h5bp / server-configs-apache
There's an Nginx equivalent but the CSP info seems lacking. Not sure if it's helpful.
Also see the section I added to the wiki
Thanks,
Andy
The following user(s) said Thank You: DenisChenu, jlhollowell
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13693
- Thank you received: 2500
2 years 9 months ago #218305
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic Content Security Policy help
For h5bp ! here :
github.com/h5bp/server-configs-nginx/blo...security-policy.conf
Wit params here : github.com/h5bp/server-configs-nginx/blo...fa34/nginx.conf#L107
Must be adapted.
Wit params here : github.com/h5bp/server-configs-nginx/blo...fa34/nginx.conf#L107
Must be adapted.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The following user(s) said Thank You: jlhollowell
The topic has been locked.