Uploaded image for project: 'Nuxeo Elements'
  1. Nuxeo Elements
  2. ELEMENTS-1545

Fix loading of WebUI when a CSP is configured

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0
    • Fix Version/s: 3.0.17
    • Component/s: UI
    • Release Notes Summary:
      WebUI loads correctly with a custom CSP policy.
    • Backlog priority:
      900
    • Sprint:
      UI - 2022-12, UI COOLDOWN - 2022-11

      Description

      Steps to reproduce:

      1. configure a DNS for your local Nuxeo app in /etc/hosts
        csp.nuxeo.org    127.0.0.1
        
      2. configure nuxeo.url in nuxeo.conf
        nuxeo.url=http://csp.nuxeo.org/nuxeo
      3. use the following nginx configuration
        server {
               listen 80;
               
               server_name csp.nuxeo.org;
        
            location / {
                rewrite ^/(.*)$ /nuxeo/$1 last;
            }
        
            location /nuxeo/ {
                proxy_pass http://127.0.0.1:8080/nuxeo/;
                proxy_set_header nuxeo-virtual-host "http://csp.nuxeo.org/";
          }
        }
        
      4. deploy this XML contribution
        <?xml version="1.0" encoding="UTF-8"?>
        <component name="org.nuxeo.csp.config.custom">
        
        <require>org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService.defaultContrib</require>
        
         <extension target="org.nuxeo.runtime.ConfigurationService" point="configuration">
         <property name="org.nuxeo.web.ui.expressions.eval">false</property>
         </extension>
          <extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point="responseHeaders">
            <header name="Content-Security-Policy">script-src data: csp.nuxeo.org</header>
          </extension> 
        </component>
        
      5. start Nuxeo
      6. navigate to http://csp.nuxeo.org/
      7. log in
      8. observe that the WebUI does not load

      By looking at the console in the browser, there is an error

      Refused to evaluate a string as javascript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive "script-src data: csp.nuxeo.org"
      

      Adding 'unsafe-eval' to the policy fixes the loading, but it's not the expected configuration.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 days, 3 hours, 31 minutes
                  4d 3h 31m