Space scripts in sync mode need CSP "script-src: unsafe-eval"

General
1

Hey there,

not sure if I am doing it correct, yet I still wanted to share my experience, in case anybody else might face this problem:

To be able to use {{year}} as a suggestedName in a template, I had to create a space script for it. Yet this space script only seemed to work when being in online mode. I changed my Header in the apache2 conf file for this route / site to also include unsafe-eval for script-src.

After that I had to delete the cache for the site and login again so that it could take effect. Now it seems to work to have the space scripts working in sync mode as well!

I hope this might help somebody in the future. Please also correct me, if I am doing it wrong and if there might be a better way doing this.

2

Can you share the exact configuration you added? I may just want to include this in the main server code.

3

Sure. I (hopefully) replaced my data with placeholders (domain etc.) and my *.conf for the Apache 2 server looks like this:

<VirtualHost *:81>
  ServerAdmin [email protected]
  ServerName DOMAIN.ORG

  Redirect permanent / https://DOMAIN.ORG
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =DOMAIN.ORG
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
  ServerAdmin [email protected]
  ServerName DOMAIN.ORG

  RewriteEngine on
  RewriteCond %{REQUEST_URI} ^/socket.io             [NC]
  RewriteCond %{HTTP:Upgrade} =websocket             [NC]
  RewriteRule /(.*)  ws://127.0.0.1:3000/$1          [P,L]

  ProxyPass / http://127.0.0.1:3000/
  ProxyPassReverse / http://127.0.0.1:3000/

  RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}

  SSLCertificateFile /etc/letsencrypt/live/DOMAIN.ORG/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN.ORG/privkey.pem
  Include /etc/letsencrypt/options-ssl-apache.conf

  Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; object-src 'none';"

</VirtualHost>

I hope this is what you where asking for and I also hope that this conf does not contain anything stupid … I am rather new to the β€œI rent my own server to run own web apps on it” game. (;

1 Like