Hello/Hi/Greetings,
I'm having fun and games trying to get my site working. It was. Now it isn't. Not properly anyway.
Editing photos - Linked albums, Album thumbnail, Keywords,
all just show an unusable up- and down-arrow symbol
Viewing photos - the full-screen option doesn't work
All pages - The top-right tools icon doesn't do anything
Photos - batch manager - shows 983 checksums to add, but "compute missing checksums" doesn't do anything
I've seen older posts hinting this might be some sort of js error. But I consistently get this on all browsers I've tried it on - gotta be a server-side issue then, shurelee?
Any help/advice gratefully received :-(
Thanks
Bill
Piwigo version: 2.10.2
PHP version: 7.2.24
MySQL version: 14.14
OS: Ubuntu 19.04
Piwigo URL: http://zeltus.fun
Offline
That's probably all broken by the CSP you set:
Content-Security-Policy: default-src 'self'; font-src 'self'; img-src 'self' s7.addthis.com; script-src 'self' s7.addthis.com
which doesn't allow pretty much portions of Piwigo to execute but likes addthis.com ...
Offline
Thanks! I remember setting this fairly urgently some time ago when a security company contacted me. Almost certainly I used a very-secure setting without bothering to test much thereafter.
I'll report back if changing it fixes anything. Or not. :-)
Offline
Fwiw, here's mine for Apache .htacess in Piwigo's directory, whether that suits your needs or allows too much or too little is up to you. It's the basic set needed to make Piwigo fully functional including its admin code.
<IfModule mod_headers.c> # Several elements don't work without 'unsafe-inline'. # Piwigo user editor doesn't work without script-src 'unsafe-eval'. # Piwigo theme screenshot previews in img-src. # Piwigo VideoJS needs font-src data: and media-src 'self'. Header set Content-Security-Policy " default-src 'none'; connect-src 'self'; font-src 'self' data:; img-src 'self' data: https://piwigo.org; media-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'" </IfModule>
If you also want the tools/ws.htm to be functional then append this to the CSP in tools/.htaccess:
script-src https://cdn.jsdelivr.net/tiptip/1.3/ https://code.jquery.com/jquery-1.9.1.min.js; style-src https://cdn.jsdelivr.net/tiptip/1.3/
(whether that works for you in a Header append directive or you have to use Header set repeating all the above and adding these depends on the Apache version)
Offline
zeltus wrote:
a very-secure setting
I wouldn't call anything secure that allows all shit from addthis.com
Offline
Aaahhh, well, I did say I did it in a hurry :-) - must go back and look at my t'other website to see why I did that...
Thanks for the examples, much appreciated.
Offline
Looking good.
CSP is a new thing for someone as old school as me, I'm still unclear as to what (your) directive is doing, but as this is pretty much a server/website dedicated to piwigo, I'm happy to trust you :-)
But I do have to do some homework on this so's I understand and can recognise this sort of issue if I see it again elsewhere.
Who knows, I might be able to answer a forum question eventually! :-)
Again, many thanks.
Bill
Offline
You can find some pointers related to CSP there if you want.
Offline