Content Security Policy funkwhale/all-in-one:0.20.1
CSP funkwhale/all-in-one:0.20.1
I was wondering why my album art wasn't loading so I opened firefox developer tools and saw that the loading of the images was blocked because of the CSP headers. Turns out that just using img-src 'self'
also requires the resources to be loaded from the same url scheme as the loaded page (so https in the case of https sites). I serve the container's http endpoint through my nginx reverse proxy that is running directly on the host which has https enabled, but the images were still being loaded over http which made firefox unhappy.
I was able to hack around it by discarding the upstream CSP headers and setting my own to also include http://$host
.
I'm not sure if this should be an issue for real as the container IS serving it's content to the reveres proxy over http, so technically loading resources over http is correct. It only breaks when the container itself runs behind a reverse proxy that does serve the content over https. Maybe a way to detect this scenario could be to check the X-Forwarded-Proto header?
Here is my current (working) config for the nginx instance running on my host system:
upstream funkwhale {
server 127.0.0.1:8989;
}
server {
listen 80;
server_name ...;
location / {
return 301 https://$host$request_uri;
}
}
server {
include /etc/nginx/snippets/ssl.conf;
ssl_certificate /etc/letsencrypt/live/.../fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/.../privkey.pem;
server_name ...;
# Upstream's CSP is invalid for https sites so should be discarded
more_clear_headers Content-Security-Policy;
# Allow content to be loaded from http://$host
add_header Content-Security-Policy "default-src 'self' http://$host; script-src 'self' http://$host; style-src 'self' http://$host 'unsafe-inline'; img-src 'self' http://$host data:; font-src 'self' http://$host data:; object-src 'none'; media-src 'self' http://$host data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
location / {
client_max_body_size 1G;
proxy_pass http://funkwhale;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_http_version 1.1;
}
}
I hope I have provided enough information, but I'll be happy to provide more if needed!
Thanks for the awesome software! <3