Hi, as part of the server change I upend the security settings i.e. TLSv1.3 etc. One of the things I struggled is to get the Content Security Policy (CSP) settings defined for x3 as I don't know all the dependencies. Specifically for script-src and style-src I could only get it to work with the following settings:
script-src * 'unsafe-inline' 'unsafe-eval'
style-src * 'unsafe-inline' 'unsafe-eval';
The problem is that the * wildcard and 'unsafe-inline' and 'unsafe-eval' is considered an unsafe implementation of CSP (https://developer.mozilla.org/en-US/doc ... ity-Policy).
The question would be 1) what are the (external) sources for JavaScript <script> elements of X3? and 2) what (external) sources for stylesheets are being used by X3?
X3Photo Gallery Forums
X3 Photo Gallery Support Forums
Re: Content Security Policy settings for X3
X3 uses www.jsdelivr.com for most Javascript and CSS files. The domain they are loaded from is basically cdn.jsdelivr.net. If you disable CDN (Settings > Advanced > Use CDN), all resources will load from your origin host, but this will be slower.ckishappy wrote:The question would be 1) what are the (external) sources for JavaScript <script> elements of X3? and 2) what (external) sources for stylesheets are being used by X3?
You can never be too safe, although Content-Security-Policy is only effective if others have access to edit your website and in some way include 3rd party scripts. This isn't really the case with X3, unless other users that you don't trust have access to the X3 panel. Certainly doesn't hurt though, when configured correctly!
Re: Content Security Policy settings for X3
thanks and will give it a try! I changed the CSP policy (from script-src * 'unsafe-inline' 'unsafe-eval') to script-src 'self' https://cdn.jsdelivr.net. My X3 website stopped to display anything.. Will need to spend some more time on this then to debug it properly over a rainy weekend!