Are you using CSP Headers with Flarum ?

0E800

@clarkwinkelmann
Are your CSP preventing the forum from being displayed in IE11 / Edge?

Is there a way I can have both X-Content-Secuirty-Policy and Content-Security-Policy headers?

From: https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/security/content-security-policy

The latest preview release (EdgeHTML 15.15002) of Microsoft Edge supports Content Security Policy Level 2, which extends and replaces the original Content Security Policy (Level 1) support in the current stable public release.

clarkwinkelmann

0E800 I see no reason for the site to break in IE because of that. If it doesn't support it, it will simply ignore the rules.

However, I didn't test and don't care at all. That's the forum for a game that is only supported on Chrome and Firefox ?

Same for X-Content-Security-Policy and Content-Security-Policy, why would anything break ? If a user-agent doesn't understand a header, it drops it. The only problem might be if the two headers are set with different values... You will need to check the order in which user-agents read them.

From what I've read it was actually recommended to have both headers to support the most browsers ?

0E800

clarkwinkelmann
Would you mind sharing your game forum site address so I can test? If it's not the CSP preventing it from working, it could be the custom Landing Page extension code that's causing my issue.

Thanks again.

clarkwinkelmann

0E800 it's called ZetaMode but it's in closed beta and currently on hold ? Also, it's in French ??

I've seen your post in another topic (don't remember which one) and that's right, there could be a problem between versions of CSP. IE may be trying to read CSPv2 rules as CSPv1 and fail.

Do you get an actual error? How do you know it's not working?

0E800

clarkwinkelmann

Your site is beautiful. I like the color pallete.
On the forum, your language switcher, is that an extension?

0E800

Here is a comparison:

I dont believe the ! message about cache is what is causing it.

Upon inspecting your site I do notice a differnce, besides your page loading.

On my site I get:

HTML1300: Navigation occurred.
dnserror.html

Yours:

HTML1300: Navigation occured. 
zetamode.com

clarkwinkelmann

0E800 that's strange... In the meantime I don't expect IE to give ample details on the matter...

Love the "Fix connection problem" like always ?

I shared the homepage of my project, it does not have any CSP rules (It's a GitHub Pages site going through Cloudflare). The actual forum is at https://forum.zetamode.com/ (it's member-only so you can't see any post)

clarkwinkelmann

0E800 I just checked and I can confirm your website works in IE11 (In the official Microsoft VM).

However, it does not work in Firefox ? Your CSP does not allow external fonts and inline scripts, which destroys the homepage ?

0E800

clarkwinkelmann

Wierd why does it work for me on firefox and chrome but not IE11?

Argh, guess I'll go through each line and test.

Thanks again.

0E800

clarkwinkelmann

I am not following.
My CSP is:

add_header Content-Security-Policy
"default-src 'self' https://www.google.com https://*.youtube.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.keys-daggers.org https://www.google.com https://www.gstatic.com https://cdnjs.cloudflare.com;
style-src 'self' 'unsafe-inline' https://netdna.bootstrapcdn.com https://fonts.googleapis.com https://cdnjs.cloudflare.com;
img-src 'self' https://*.imgur.com https://*.ssl-images-amazon.com https://cdn.jsdelivr.net data:;
font-src 'self' https://fonts.gstatic.com https://netdna.bootstrapcdn.com;
connect-src 'self';
media-src 'self';
object-src 'self';
form-action 'self';
upgrade-insecure-requests;
block-all-mixed-content;
report-uri  https://keysdaggers.report-uri.io/r/default/csp/reportOnly;";

I checked your https://forum.zetamode.com/ site with both IE11 and Edge and it displays fine.
Again, my site shows up fine on Firefox (destop/mobile) and Chrome.

Guess ill have to turn off CSP to see if it even is the culprit.

Update: Commenting out the CSP did allow Edge to display the site. So which is causing the issue? And why are you able to access from IE?

clarkwinkelmann

0E800 it's all base Flarum styling, with our logo color as main theme color ? The language selector must be the default one, I just installed the French pack and it appeared.

We should move this elsewhere if you want to talk more about my forum design ? (but there's no actual design, it's default ? )

0E800

0E800
Not neccesary. It's not like I really want IE users, just want to be able to solve the issue so I can sleep at night. Haha. Thanks again.

clarkwinkelmann

0E800 I checked the websites again in IE.

When browsing discussions with insecure images on them, IE writes in the console (placeholder for the link):

HTTPS security is compromised by http://example.com/image.jpg

I have no idea if that's because of CSP or standard HTTPS warnings (Firefox displays a warning for mixed content too, no need for CSP)

Whatever, the image is displayed, so this means CSP is not working. No message indicating a parse error for CSP either.

On your website, I get:

DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
File: 11
HTML1300: Navigation occurred.
File: keys-daggers.org
DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
File: 11
CSS3114: @font-face failed OpenType embedding permission check. Permission must be Installable.
File: origicide.ttf

No idea if that font-face permission thing is due to CSP or not.

Again, your website displays with no problems, probably because CSP rules are not parsed at all...

The "About Internet Explorer" tells me I am running:

Version: 11.0.9600.17416
Update versions: 11.0.14 (KB3003057)

No idea if that's up to date or not. I'm using the official Microsoft IE11 VM because I'm on Linux.

Maybe CSP are enabled in a later version ? Do you want me to check if I can get an update ?

clarkwinkelmann

Tests in progress

I hate that program...

clarkwinkelmann

I noticed today that code blocks inject script tags that are run through eval() https://github.com/flarum/core/blob/34f3d93ce56ad18ada6aad65bfc77244fea09716/js/forum/src/components/CommentPost.js#L67

My CSP rules cause this code to fail because it does not allow eval javascript ?

It's not too bad but it seems to break the automatic discussion read status when scrolling to bottom...

tlalok

clarkwinkelmann Yes, 'unsafe-eval' must be added.

I found a google tools for check your csp rules https://csp-evaluator.withgoogle.com/

Problem is script-src 'unsafe-inline'
a solution here http://stackoverflow.com/a/38554505 but It's very complicated to set up.

Maybe an extension can be imagined...
I started a discussion on my forum about csp rules here (but in french)

clarkwinkelmann

I just enabled the Pusher extension on my forum. Here's my new CSP setup (NGINX):

    add_header Content-Security-Policy             "default-src 'self' https://analytics.kilowhat.net; script-src 'self' 'unsafe-inline' https://analytics.kilowhat.net https://cdnjs.cloudflare.com https://js.pusher.com https://sockjs-eu.pusher.com https://stats.pusher.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://analytics.kilowhat.net https://cdn.jsdelivr.net https: data:; connect-src 'self' wss://ws-eu.pusher.com; report-uri https://kilowhat.report-uri.io/r/default/csp/enforce";
    add_header Content-Security-Policy-Report-Only "default-src 'self' https://analytics.kilowhat.net; script-src 'self' 'unsafe-inline' https://analytics.kilowhat.net https://cdnjs.cloudflare.com https://js.pusher.com https://sockjs-eu.pusher.com https://stats.pusher.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://analytics.kilowhat.net https://cdn.jsdelivr.net https: data:; connect-src 'self' wss://ws-eu.pusher.com; report-uri https://kilowhat.report-uri.io/r/default/csp/reportOnly";

analytics.kilowhat.net being my private Piwik server and kilowhat.report-uri.io my custom report URL at https://report-uri.io/ <-- It's a really good service by the way, totally recommend it !

From my old version I added data: URIs for images so it can work with a few SVGs embedded in style sheets and a few Pusher domains that seem required for the eu region.

Posting it here in case it's helpful for anyone.

clarkwinkelmann

I'm getting a few reports for CSP violations for other pusher domains so I think my list is still incomplete...

I'm trying to find an official listing of URLs I should whitelist in my CSP for Pusher... But no success yet.

Could not find anything useful in the official doc, through Google or DuckDuckGo... Anybody has a lead ?

Searching for "pusher js csp" on Google even returns this thread in 9th position ?

PS: Love the Have you tried using the search box at the bottom of the search results...

EDIT: I'm getting reports for URLs like https://timeline30-clientstats1.pusher.com, https://timeline31-clientstats1.pusher.com, https://timeline32-clientstats1.pusher.com, https://timeline33-clientstats1.pusher.com. Maybe I should whitlelist https://*.pusher.com, but I would prefer not to ?

Sanguine

tlalok script-src 'self' 'unsafe-inline' 'unsafe-eval'

Thanks for sharing. Which part of Flarum/extension requires unsafe eval?

clarkwinkelmann

Sanguine any code block includes its own rending javascript as inline. Also the modules and bootstrappers are loaded inline at the bottom of the page.

I think the code rendering makes use of eval. Not sure anymore though.

Sanguine

clarkwinkelmann

Hmmm

./vendor/flarum/core/js/forum/dist/app.js:                eval.call(window, $(this).text());

« Previous Page