• Off-topic
  • Are you using CSP Headers with Flarum ?

clarkwinkelmann
Would you mind sharing your game forum site address so I can test? If it's not the CSP preventing it from working, it could be the custom Landing Page extension code that's causing my issue.

Thanks again.

    0E800 it's called ZetaMode but it's in closed beta and currently on hold ? Also, it's in French ??

    I've seen your post in another topic (don't remember which one) and that's right, there could be a problem between versions of CSP. IE may be trying to read CSPv2 rules as CSPv1 and fail.

    Do you get an actual error? How do you know it's not working?

      Here is a comparison:

      I dont believe the ! message about cache is what is causing it.

      Upon inspecting your site I do notice a differnce, besides your page loading.

      On my site I get:

      HTML1300: Navigation occurred.
      dnserror.html

      Yours:

      HTML1300: Navigation occured. 
      zetamode.com

        0E800 that's strange... In the meantime I don't expect IE to give ample details on the matter...

        Love the "Fix connection problem" like always ?

        I shared the homepage of my project, it does not have any CSP rules (It's a GitHub Pages site going through Cloudflare). The actual forum is at https://forum.zetamode.com/ (it's member-only so you can't see any post)

        0E800 I just checked and I can confirm your website works in IE11 (In the official Microsoft VM).

        However, it does not work in Firefox ? Your CSP does not allow external fonts and inline scripts, which destroys the homepage ?

          0E800 it's all base Flarum styling, with our logo color as main theme color ? The language selector must be the default one, I just installed the French pack and it appeared.

          We should move this elsewhere if you want to talk more about my forum design ? (but there's no actual design, it's default ? )

          clarkwinkelmann

          I am not following.
          My CSP is:

          add_header Content-Security-Policy
          "default-src 'self' https://www.google.com https://*.youtube.com;
          script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.keys-daggers.org https://www.google.com https://www.gstatic.com https://cdnjs.cloudflare.com;
          style-src 'self' 'unsafe-inline' https://netdna.bootstrapcdn.com https://fonts.googleapis.com https://cdnjs.cloudflare.com;
          img-src 'self' https://*.imgur.com https://*.ssl-images-amazon.com https://cdn.jsdelivr.net data:;
          font-src 'self' https://fonts.gstatic.com https://netdna.bootstrapcdn.com;
          connect-src 'self';
          media-src 'self';
          object-src 'self';
          form-action 'self';
          upgrade-insecure-requests;
          block-all-mixed-content;
          report-uri  https://keysdaggers.report-uri.io/r/default/csp/reportOnly;";

          I checked your https://forum.zetamode.com/ site with both IE11 and Edge and it displays fine.
          Again, my site shows up fine on Firefox (destop/mobile) and Chrome.

          Guess ill have to turn off CSP to see if it even is the culprit.

          Update: Commenting out the CSP did allow Edge to display the site. So which is causing the issue? And why are you able to access from IE?

            0E800 I checked the websites again in IE.

            When browsing discussions with insecure images on them, IE writes in the console (placeholder for the link):

            HTTPS security is compromised by http://example.com/image.jpg

            I have no idea if that's because of CSP or standard HTTPS warnings (Firefox displays a warning for mixed content too, no need for CSP)

            Whatever, the image is displayed, so this means CSP is not working. No message indicating a parse error for CSP either.

            On your website, I get:

            DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
            File: 11
            HTML1300: Navigation occurred.
            File: keys-daggers.org
            DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
            File: 11
            CSS3114: @font-face failed OpenType embedding permission check. Permission must be Installable.
            File: origicide.ttf

            No idea if that font-face permission thing is due to CSP or not.

            Again, your website displays with no problems, probably because CSP rules are not parsed at all...

            The "About Internet Explorer" tells me I am running:

            Version: 11.0.9600.17416
            Update versions: 11.0.14 (KB3003057)

            No idea if that's up to date or not. I'm using the official Microsoft IE11 VM because I'm on Linux.

            Maybe CSP are enabled in a later version ? Do you want me to check if I can get an update ?

            0E800
            Not neccesary. It's not like I really want IE users, just want to be able to solve the issue so I can sleep at night. Haha. Thanks again.

            a month later
            6 days later
            12 days later

            I just enabled the Pusher extension on my forum. Here's my new CSP setup (NGINX):

                add_header Content-Security-Policy             "default-src 'self' https://analytics.kilowhat.net; script-src 'self' 'unsafe-inline' https://analytics.kilowhat.net https://cdnjs.cloudflare.com https://js.pusher.com https://sockjs-eu.pusher.com https://stats.pusher.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://analytics.kilowhat.net https://cdn.jsdelivr.net https: data:; connect-src 'self' wss://ws-eu.pusher.com; report-uri https://kilowhat.report-uri.io/r/default/csp/enforce";
                add_header Content-Security-Policy-Report-Only "default-src 'self' https://analytics.kilowhat.net; script-src 'self' 'unsafe-inline' https://analytics.kilowhat.net https://cdnjs.cloudflare.com https://js.pusher.com https://sockjs-eu.pusher.com https://stats.pusher.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://analytics.kilowhat.net https://cdn.jsdelivr.net https: data:; connect-src 'self' wss://ws-eu.pusher.com; report-uri https://kilowhat.report-uri.io/r/default/csp/reportOnly";

            analytics.kilowhat.net being my private Piwik server and kilowhat.report-uri.io my custom report URL at https://report-uri.io/ <-- It's a really good service by the way, totally recommend it !

            From my old version I added data: URIs for images so it can work with a few SVGs embedded in style sheets and a few Pusher domains that seem required for the eu region.

            Posting it here in case it's helpful for anyone.

            6 days later

            I'm getting a few reports for CSP violations for other pusher domains so I think my list is still incomplete...

            I'm trying to find an official listing of URLs I should whitelist in my CSP for Pusher... But no success yet.

            Could not find anything useful in the official doc, through Google or DuckDuckGo... Anybody has a lead ?

            Searching for "pusher js csp" on Google even returns this thread in 9th position ?

            PS: Love the Have you tried using the search box at the bottom of the search results...

            EDIT: I'm getting reports for URLs like https://timeline30-clientstats1.pusher.com, https://timeline31-clientstats1.pusher.com, https://timeline32-clientstats1.pusher.com, https://timeline33-clientstats1.pusher.com. Maybe I should whitlelist https://*.pusher.com, but I would prefer not to ?

            a year later

            tlalok script-src 'self' 'unsafe-inline' 'unsafe-eval'

            Thanks for sharing. Which part of Flarum/extension requires unsafe eval?

              Sanguine any code block includes its own rending javascript as inline. Also the modules and bootstrappers are loaded inline at the bottom of the page.

              I think the code rendering makes use of eval. Not sure anymore though.

                clarkwinkelmann

                Hmmm

                ./vendor/flarum/core/js/forum/dist/app.js:                eval.call(window, $(this).text());