On 10/15/24 4:20 AM, Freek de Kruijf wrote:
Op zaterdag 12 oktober 2024 15:26:17 CEST schreef Freek de Kruijf:
Op zaterdag 12 oktober 2024 03:12:11 CEST schreef David C. Rankin:
On 10/11/24 6:20 AM, Freek de Kruijf wrote:
I got the suggestion to use F12 in Firefox to see error messages. It revealed that the Content-Security-Policy was set too strict. But even setting all to 'self' is too strict. Still trying to figure out what the right setting is.
I explains why using localhost does not give the problem. I do not have a Content-Security-Policy for localhost.
That makes sense.
My web-servers are on Arch, which simply sets all access restrictions
through the conf files (and file ownership/permissions). If you are using a self-signed certificate, it makes sense to go ahead and get an actual ssl certificate from "Let's Encrypt" (it's free) and then you can use "certbot" to update it before it's 90 day expiration (they send you e-mail notices)
If you run a mail-host, you can use the same ssl certificate for dovecot,
etc..
That eliminates a lot of "nanny programs" that now refuse to talk to
servers with self-signed certs. Up until about 5 years ago or so, self-signed certs are fine.
I already have such things (Let's Encrypt) for quite some times.
The Content-Security-Policy is something that can be enabled in the web server (apache) and has nothing to do with the use of http or https. It controls a.o. the use of CSS in a web page, even the use of CSS which is embedded in the web page (seems silly/unnecessary to me). It is required when you want a high rating on security on your web server.
I analyzed it a bit further. It seems to have to do with CSS style elements outside the body of a html page, but in the header. The directive "default-src 'self'" is not enough in that case. It needs to be "default-src 'self' 'unsafe-inline'"
That's interesting. I've not revisited css rules in a number of years. You say: "CSS style elements outside the body of a html page, but in the header." Are you talking about external style-sheets referenced in the header? I ask because I haven't noticed a change over the past few years with, e.g. <link rel="stylesheet" type="text/css" href="/path/to/some.css"> I'm running apache 2.4.62 on the servers. Or are you referring to another type of CSS style elements in the page header? -- David C. Rankin, J.D.,P.E.