Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-23912

Fix Content Security Policy header

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 9.3
    • Fix Version/s: 9.10
    • Component/s: Web Common

      Description

      The plugin https://github.com/nuxeo-sandbox/nuxeo-pdfannotation-viewer stopped working on 9.3 because of a csp header error

      Refused to load the image 'blob:https://dam-solution-93.cloud.nuxeo.com/f93bc753-6320-45be-8953-ec3c538437bc' because it violates the following Content Security Policy directive: "img-src * data:".
      

      Adding the following contrib in studio solved the issue after a restart

       <require>org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService.defaultContrib</require>
          <extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService"
          point="responseHeaders">
          <header name="Content-Security-Policy">img-src data: blob: *; default-src * blob:; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: *</header>
        </extension>
      

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 15 minutes
                  15m

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.