Skip to content
This repository has been archived by the owner on Apr 27, 2019. It is now read-only.

Figuring out proper CSP #27

Open
faust64 opened this issue Nov 22, 2017 · 1 comment
Open

Figuring out proper CSP #27

faust64 opened this issue Nov 22, 2017 · 1 comment

Comments

@faust64
Copy link

faust64 commented Nov 22, 2017

As I was trying to setup my usual nginx headers, serving the web worker behind a reverse proxy, adding SSL, ...

Here's the last error I can read in chrome console

maildrop.example.com/:30 Refused to load the stylesheet 'http://fonts.googleapis.com/css?family=Open+Sans:400,300,600' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com ".

Or:

Mixed Content: The page at 'https://maildrop.example.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=Open+Sans:400,300,600'. This request has been blocked; the content must be served over HTTPS.

Would require editing web/app/views/template.scala.html, although I'm not sure how to proceed to ensure HTTP clients won't suffer that issue ....
@faust64 faust64 mentioned this issue Nov 22, 2017
Open
@JReming85
Copy link

Pretty sure if you rewrote the html and removed the http handler, it should match the websites handler (http/https) when loaded

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@faust64 @JReming85