On Fri, May 3, 2019, 15:09 Nick Couchman <[email protected]> wrote: > On Fri, May 3, 2019 at 3:17 PM Zer0Cool <[email protected]> wrote: > >> CentOS/RHEL 7.6 >> Nginx 1.16.0 >> OpenSSL 1.0.2k-fips >> Guac 1.0.0 >> >> I have SSL working just fine with a Lets Encrypt cert. I am attempting to >> add a CSP line to the nginx conf and its causing the login page to look >> odd >> and not actually logging in (I will explain further). >> >> The line I am adding is: >> >> add_header Content-Security-Policy "default-src 'none'; script-src 'self'; >> connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors >> 'none';" always; >> >> If I add the above, restart nginx and clear browser cache the login page >> loads but the title reads as "{{'APP.NAME' | translate}}" and within the >> fields "{{getFieldHeader() | translate}}" and the login button reads >> "{{'LOGIN.ACTION_LOGIN' |". >> >> Clicking login after entering credentials seems to fail (red banner at top >> of page) and shows what seems to then just be a white page with a blankish >> button. tail -f /var/log/messages says authentication was a success. >> > > It's likely that this security policy is impacting things between the > AngularJS application (running in the web browser) and the web server. I > would expect if you open the Developer Console for whatever browser you're > using that you'll see some error message or another. I'm not familiar > enough with the Content-Security-Policy header to know what each of those > items do, but, if that header applies a policy to the browser then it's > likely that setting everything to self is disabling some of the > conversation between the JavaScript application in the browser and the > Nginx server, causing things to fail. I'd have to do some more testing to > validate, but that's just by guess. >
If I remember correctly, the CSP header instructs the browser that the content being served will only leverage [list of things] and that any attempt to leverage things not in that list should be rejected (presumed to be due to an attack of some kind). Among the things that can be blocked through using CSP are dynamic loading of resources, uses of the JavaScript eval() function, etc. Prohibiting some of those features may be interfering with normal operation of AngularJS and jQuery. I'm sure it's possible to produce a CSP that works. It would be a matter of determining what must be allowed. - Mike
