AkkomaGang/akkoma

Fork 94

CSP prevents cross‐origin image preloading #263

New issue

Closed

opened 2022-11-10 15:56:03 +00:00 by nil · 8 comments

nil commented

2022-11-10 15:56:03 +00:00

Image preloading in Pleroma-FE relies on fetch(), but the Content-Security-Policy header generated by Akkoma does not include the media sources in connect-src.

As a result, image preload requests will be blocked if the image is not loaded from the same origin.

I noticed this when trying out image preloading with a media proxy cache running on a sub‐domain (Akkoma 3.3.1, Pleroma-FE rev c8c8d40827).

Image preloading in Pleroma-FE relies on `fetch()`, but the `Content-Security-Policy` header generated by Akkoma does not include the media sources in `connect-src`. As a result, image preload requests will be blocked if the image is not loaded from the same origin. I noticed this when trying out image preloading with a media proxy cache running on a sub‐domain (Akkoma 3.3.1, Pleroma-FE rev `c8c8d40827`).

floatingghost commented

2022-11-10 16:04:19 +00:00

Owner

https://docs.akkoma.dev/stable/configuration/cheatsheet/#media_proxy

you may want to set base_url on the media proxy

https://docs.akkoma.dev/stable/configuration/cheatsheet/#media_proxy you may want to set base_url on the media proxy

nil commented

2022-11-10 16:13:04 +00:00

Author

https://docs.akkoma.dev/stable/configuration/cheatsheet/#media_proxy

you may want to set base_url on the media proxy

I did exactly that, but as far as I can tell from https://akkoma.dev/AkkomaGang/akkoma/src/branch/develop/lib/pleroma/web/plugs/http_security_plug.ex#L107, it is only included in img-src and media-src but not in connect-src.

> https://docs.akkoma.dev/stable/configuration/cheatsheet/#media_proxy > > you may want to set base_url on the media proxy I did exactly that, but as far as I can tell from <https://akkoma.dev/AkkomaGang/akkoma/src/branch/develop/lib/pleroma/web/plugs/http_security_plug.ex#L107>, it is only included in `img-src` and `media-src` but not in `connect-src`.

floatingghost commented

2022-11-10 17:27:38 +00:00

Owner

should be fixed by ac0c00cdee

try that out

should be fixed by ac0c00cdee239 try that out

👍 2

nninja commented

2022-11-12 13:06:21 +00:00

I'm getting similar CSP errors but for the S3 obj store subdomain:

E.g. main site is pl.nudie.social; S3 bucket @ cdn.nudie.social

I'm getting similar CSP errors but for the S3 obj store subdomain: ![image](/attachments/6131a44e-a463-4256-bd6e-53dd65cd4997) E.g. main site is `pl.nudie.social`; S3 bucket @ `cdn.nudie.social`

image.png

8.4 KiB

nil commented

2022-11-16 20:34:57 +00:00

Author

I'm getting similar CSP errors but for the S3 obj store subdomain:

E.g. main site is pl.nudie.social; S3 bucket @ cdn.nudie.social

As far as I can tell, ac0c00cdee should fix that as well.

> I'm getting similar CSP errors but for the S3 obj store subdomain: > > ![image](/attachments/6131a44e-a463-4256-bd6e-53dd65cd4997) > > E.g. main site is `pl.nudie.social`; S3 bucket @ `cdn.nudie.social` As far as I can tell, ac0c00cdee239 should fix that as well.

👍 1

nil commented

2022-11-20 10:05:24 +00:00

Author

@nninja Can you confirm that the fix has solved the problem you observed?

If so, I’d like to close this issue.

@nninja Can you confirm that the fix has solved the problem you observed? If so, I’d like to close this issue.

nninja commented

2022-11-20 11:34:14 +00:00

@nil Looks like fixed, danke!