Search…

X3 Photo Gallery Support Forums

Search…
 
ckishappy
Topic Author
Posts: 16
Joined: 21 May 2016, 06:07

Content Security Policy settings for X3

27 Jul 2020, 03:56

Hi, as part of the server change I upend the security settings i.e. TLSv1.3 etc. One of the things I struggled is to get the Content Security Policy (CSP) settings defined for x3 as I don't know all the dependencies. Specifically for script-src and style-src I could only get it to work with the following settings:

script-src * 'unsafe-inline' 'unsafe-eval' 
style-src * 'unsafe-inline' 'unsafe-eval';

The problem is that the * wildcard and 'unsafe-inline' and 'unsafe-eval' is considered an unsafe implementation of CSP (https://developer.mozilla.org/en-US/doc ... ity-Policy).

The question would be 1) what are the (external) sources for JavaScript <script> elements of X3? and 2) what (external) sources for stylesheets are being used by X3?
 
User avatar
mjau-mjau
X3 Wizard
Posts: 12191
Joined: 30 Sep 2006, 03:37

Re: Content Security Policy settings for X3

27 Jul 2020, 06:20

ckishappy wrote:The question would be 1) what are the (external) sources for JavaScript <script> elements of X3? and 2) what (external) sources for stylesheets are being used by X3?
X3 uses www.jsdelivr.com for most Javascript and CSS files. The domain they are loaded from is basically cdn.jsdelivr.net. If you disable CDN (Settings > Advanced > Use CDN), all resources will load from your origin host, but this will be slower.

You can never be too safe, although Content-Security-Policy is only effective if others have access to edit your website and in some way include 3rd party scripts. This isn't really the case with X3, unless other users that you don't trust have access to the X3 panel. Certainly doesn't hurt though, when configured correctly!
 
ckishappy
Topic Author
Posts: 16
Joined: 21 May 2016, 06:07

Re: Content Security Policy settings for X3

27 Jul 2020, 12:46

thanks and will give it a try! I changed the CSP policy (from script-src * 'unsafe-inline' 'unsafe-eval') to script-src 'self' https://cdn.jsdelivr.net. My X3 website stopped to display anything.. Will need to spend some more time on this then to debug it properly over a rainy weekend!