CouchCMS • View topic - CouchCMS and Content Security Policy

Problems, need help? Have a tip or advice? Post it here.

4 posts Page 1 of 1

CouchCMS and Content Security Policy

: Kadeyrn; Registered User

: Posts: 19; Joined: Fri Sep 05, 2014 12:06 am

by Kadeyrn » Thu Nov 27, 2014 9:22 pm

CouchCMS works great out of the box but when I tried to add Content Security Policy to the site it broke the admin panel.

The site itself works without any problems (even GoogleMaps which was a fight to get working with CSP) but the Admin Panel remains unusable.

If possible I would like to get CouchCMS working with CSP.

Here the CSP:

Code: Select all

Header set Content-Security-Policy: "default-src 'self' ajax.googleapis.com maxcdn.bootstrapcdn.com www.google-analytics.com maps.google.com maps.gstatic.com maps.googleapis.com mt1.googleapis.com mt.googleapis.com mt0.googleapis.com csi.gstatic.com khm0.googleapis.com khm1.googleapis.com fonts.googleapis.com fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' ajax.googleapis.com maxcdn.bootstrapcdn.com www.google-analytics.com maps.google.com maps.gstatic.com maps.googleapis.com mt1.googleapis.com mt.googleapis.com mt0.googleapis.com csi.gstatic.com khm0.googleapis.com khm1.googleapis.com fonts.googleapis.com fonts.gstatic.com"

I added the unsafe-inline part because of CouchCMS which removed quite a bit of the errors but something else gets blocked by the CSP that makes the Admin Panel unusable.

Any idea how I could get it to work? Thanks in advance.

Re: CouchCMS and Content Security Policy

: KK; Moderator

: Posts: 8623; Joined: Wed Dec 01, 2010 5:35 pm

by KK » Thu Nov 27, 2014 11:04 pm

Not sure if I'll be able to help you much with this endeavor, Kadeyrn but I found the following at https://developer.chrome.com/extensions ... rityPolicy that could have some bearing on the problem -

Relaxing the default policy
Inline Script:
There is no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes 'unsafe-inline' will have no effect.

Since Couch's admin-panel makes use of inline JS liberally, I think the point above should explain why it stopped working.

Keep us posted about your progress.
Thanks.

Re: CouchCMS and Content Security Policy

: Kadeyrn; Registered User

: Posts: 19; Joined: Fri Sep 05, 2014 12:06 am

by Kadeyrn » Thu Nov 27, 2014 11:25 pm

Ok, I've found a quite simple solution.

I have enabled it for the frontend. Everything works and I could take out the unafe-inline part.
And in the backend I just added

Code: Select all

<IfModule mod_headers.c>
Header unset Content-Security-Policy
</IfModule>

to the .htaccess file in the couch folder.
And admin-panel works again.

Re: CouchCMS and Content Security Policy

: KK; Moderator

: Posts: 8623; Joined: Wed Dec 01, 2010 5:35 pm

by KK » Fri Nov 28, 2014 1:29 am

Great! Thanks for sharing the solution with us.

Post a reply

Previous Next

4 posts Page 1 of 1

Return to Bug Reporting and Troubleshooting