Content-Security-Policy and other security HTTP headers

narcisgarcia · June 11, 2021, 6:51am

Dashboard and other sections don’t show content unless I disable CSP & SOP.
Issue open at:

Content-Security-Policy and other security HTTP headers

opened 04:36AM - 11 Nov 20 UTC

bug stale

I've just installed and started with LibreTime (I don't know how to see version …at web interface) and my website has following HTTP headers set: ``` Header set Strict-Transport-Security "max-age=15768000" Header set X-Content-Type-Options "nosniff" Header set X-Frame-Options "SAMEORIGIN" Header set X-XSS-Protection "1; mode=block" Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'" Header set Referrer-Policy "same-origin" Header set Permissions-Policy "payment=()" ``` Dashboard and other sections don't show content unless I disable completely the CSP line. 1. LibreTime HTML/CSS/JS code should be cleaned to allow a strict website security and approve test in observatory.mozilla.org 2. In the meanwhile, what are the minimum requirements in CSP to LibreTime web interface fully works?

Topic		Replies	Views
LibreTime 3 Beta Todos Dev Talk	21	2884	April 21, 2021
Uncaught DOMException: Blocked a frame with origin "https://music.domain.com" from accessing a cross-origin frame	2	2865	October 19, 2020
Migrate very old libretime version to latest version on new hardware Get Help	12	447	September 11, 2023
SSL... Still won't work	25	2257	October 1, 2023
HTTPS on Libretime Get Help	9	708	September 11, 2023

Content-Security-Policy and other security HTTP headers

Related topics