Content-Security-Policy and other security HTTP headers

narcisgarcia · June 11, 2021, 6:51am

Dashboard and other sections don’t show content unless I disable CSP & SOP.
Issue open at:

Content-Security-Policy and other security HTTP headers

opened 04:36AM - 11 Nov 20 UTC

bug stale

I've just installed and started with LibreTime (I don't know how to see version …at web interface) and my website has following HTTP headers set: ``` Header set Strict-Transport-Security "max-age=15768000" Header set X-Content-Type-Options "nosniff" Header set X-Frame-Options "SAMEORIGIN" Header set X-XSS-Protection "1; mode=block" Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'" Header set Referrer-Policy "same-origin" Header set Permissions-Policy "payment=()" ``` Dashboard and other sections don't show content unless I disable completely the CSP line. 1. LibreTime HTML/CSS/JS code should be cleaned to allow a strict website security and approve test in observatory.mozilla.org 2. In the meanwhile, what are the minimum requirements in CSP to LibreTime web interface fully works?

Topic		Replies	Views
LT behind a Proxy Get Help	6	1400	November 12, 2019
Uncaught DOMException: Blocked a frame with origin "https://music.domain.com" from accessing a cross-origin frame	2	2836	October 19, 2020
LibreTime and control panels	1	431	January 27, 2025
HTTPS on Libretime Get Help	9	650	September 11, 2023
Can Not Login to Libretime after install SSL Certbot Get Help	0	375	November 20, 2022

Content-Security-Policy and other security HTTP headers

Related topics