With pagure 5.7.2 we went further restricting content security policies and we need some custom headers for stg.pagure.io
The previous one had a typo on ev port .
<img alt="0001-pagure-tune-csp-headers-on-stg.patch" src="/fedora-infrastructure/issue/raw/files/bba746d196703f5a8155811366ca47fefb1356f0a996143ebb2136bc7ad1cb4d-0001-pagure-tune-csp-headers-on-stg.patch" />
Don't merge this yet, I want to discuss about img-src with @pingou
After discussing with @pingou , we agreed going with a more permissive img-src policy . <img alt="0001-pagure-tune-csp-headers-on-stg.patch" src="/fedora-infrastructure/issue/raw/files/e3533aa8fa894132c75b8dc004c71cd5152971b63e52684bd79eecbd7a247ccb-0001-pagure-tune-csp-headers-on-stg.patch" />
Applied, thanks! :)
Metadata Update from @pingou: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
It seems it's the error that is preventing avatars from correctly being displayed on 5.7.2 ? https://git.dev.centos.org doesn't display avatars anymore, while the link to libravatar is still correct and so open the image in a second window fine
@arrfab yep, we went too far hardening content security polices.
For the avatars, you'll need to add a more permissive img-src policy.img-src 'self' http:; should fix that.
img-src 'self' http:;
I don't know how is the centos instance configured, but in case you're using the ev service, you'll also need to modify the connect-src policy: connect-src 'self' https://{{insert_ev_public_host_and_port_here}};
connect-src 'self' https://{{insert_ev_public_host_and_port_here}};
If docs is enabled, you'll need "frame-src {{ insert_docs_public_host_here }};"
Yeah, we should document this on pagure
Login to comment on this ticket.