Content-Security-Policy and other security HTTP headers

narcisgarcia · June 11, 2021, 6:51am

Dashboard and other sections don’t show content unless I disable CSP & SOP.
Issue open at:

Content-Security-Policy and other security HTTP headers

opened 04:36AM - 11 Nov 20 UTC

bug stale

I've just installed and started with LibreTime (I don't know how to see version …at web interface) and my website has following HTTP headers set: ``` Header set Strict-Transport-Security "max-age=15768000" Header set X-Content-Type-Options "nosniff" Header set X-Frame-Options "SAMEORIGIN" Header set X-XSS-Protection "1; mode=block" Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'" Header set Referrer-Policy "same-origin" Header set Permissions-Policy "payment=()" ``` Dashboard and other sections don't show content unless I disable completely the CSP line. 1. LibreTime HTML/CSS/JS code should be cleaned to allow a strict website security and approve test in observatory.mozilla.org 2. In the meanwhile, what are the minimum requirements in CSP to LibreTime web interface fully works?

Topic		Replies	Views
Uncaught DOMException: Blocked a frame with origin "https://music.domain.com" from accessing a cross-origin frame	2	2690	October 19, 2020
On the start page Libretime and after login no more files and entries are displayed Get Help	0	312	May 4, 2021
UI feedback about Dashboard Site Feedback	2	620	February 1, 2019
Libretime for licenses? Get Help	5	461	December 24, 2020
Libretime doesn't send any song titles (meta) Get Help	1	384	April 17, 2020

Content-Security-Policy and other security HTTP headers

Related Topics