Steps to reproduce:
- configure a DNS for your local Nuxeo app in /etc/hosts
csp.nuxeo.org 127.0.0.1
- configure nuxeo.url in nuxeo.conf
nuxeo.url=http://csp.nuxeo.org/nuxeo
- use the following nginx configuration
server { listen 80; server_name csp.nuxeo.org; location / { rewrite ^/(.*)$ /nuxeo/$1 last; } location /nuxeo/ { proxy_pass http://127.0.0.1:8080/nuxeo/; proxy_set_header nuxeo-virtual-host "http://csp.nuxeo.org/"; } }
- deploy this XML contribution
<?xml version="1.0" encoding="UTF-8"?> <component name="org.nuxeo.csp.config.custom"> <require>org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService.defaultContrib</require> <extension target="org.nuxeo.runtime.ConfigurationService" point="configuration"> <property name="org.nuxeo.web.ui.expressions.eval">false</property> </extension> <extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point="responseHeaders"> <header name="Content-Security-Policy">script-src data: csp.nuxeo.org</header> </extension> </component>
- start Nuxeo
- navigate to http://csp.nuxeo.org/
- log in
- observe that the WebUI does not load
By looking at the console in the browser, there is an error
Refused to evaluate a string as javascript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive "script-src data: csp.nuxeo.org"
Adding 'unsafe-eval' to the policy fixes the loading, but it's not the expected configuration.
- is related to
-
ELEMENTS-1552 Bump @nuxeo/quill in UI Elements
- Resolved
-
WEBUI-608 NXUI: Make web ui work with strict CSP headers
- Resolved
There are no Sub-Tasks for this issue.