Learn more about these different git repos.
Other Git URLs
I noticed an issue with Avatar images not loading when using the default CSP headers. The Chrome console shows an error like this.
Refused to load the image 'https://seccdn.libravatar.org/avatar/7fe4cb31868f324cf91dd5acabfabe3a104a67bf8483d89c0ed5dc7b2349a0e2?s=24&d=retro' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
After setting CSP_HEADERS in the config file as follow images load but I'm still seeing CSP errors in Chrome.
CSP_HEADERS = ( "default-src 'self' https:; " "script-src 'self' 'nonce-{nonce}'; " "style-src 'self' 'nonce-{nonce}';" "img-src 'self' https:; " )
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-{nonce}'". Either the 'unsafe-inline' keyword, a hash ('sha256-OkZXpNx64dY8TIbJsoSyZlzkBvi3wxe2X04D3VDZm+Q='), or a nonce ('nonce-...') is required to enable inline execution.
Based on the error it appears that {nonce} isn't actually being filled in by pagure.
During 5.7 we changed the default CSP_HEADERS to allow changing script to unsafe for login when fas or openid plugins were used. Our current stable (5.7.9) default setting is:
CSP_HEADERS = ( "default-src 'self';" "script-src 'self' '{nonce_script}'; " "style-src 'self' '{nonce_style}'; " "object-src 'none';" "base-uri 'self';" "img-src 'self' https:;" )
Part from here in your modifications.
Note: some of our 5.7.x fixes are not yet in master, the branch is 19 commits ahead
That shouldn't be the case, we merged everything in master and backported to the 5.7.x branch
Note: some of our 5.7.x fixes are not yet in master, the branch is 19 commits ahead That shouldn't be the case, we merged everything in master and backported to the 5.7.x branch
Yeah, I should not look this things on friday nights :D
BTW, can we close this?
Let's close then :)
Metadata Update from @pingou: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.