Content Security Policy, 404 errors, etc. in V69.0.8

[Quinntin Comer]

Hello,

 

As of v69.0.8 we are seeing many failures due to Content Security Policy settings to load the fonts as well as numerous 404 errors for several js files. We have modified the templates as a short term fix.

Refused to load the font 'data:font/woff2;charset=utf-8;base64,d09GMgABAAAABPfYAAoAAAANDGgABPeLAwQBAA…3vVTy4JjPl3dW7rL/5M5q5e6D9CAVi9h+FdkMTe2kWWnqGdWT8TM66vW13xqSu5Kz/MgADAAA=' because it violates the following Content Security Policy directive: "font-src 'self' https://fonts.gstatic.com/".

 

DevTools failed to load source map: Could not load content for https://pbx.company.com/libraries/chartJs/chart.umd.js.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE

 

Unchecked runtime.lastError: The message port closed before a response was received.

[Vodia PBX]

Are you running some kind of plugin or service worker that would change the source for the font?! The Content-Security-Policy should have font-src 'self' https://fonts.gstatic.com/.

[Quinntin Comer]

No, you can see in the error itself that it shows the exact string you are expecting at the very end so nothing is translating it or editing it.

 

This is on a FRESH install in AWS. Errors happen in both Chrome and Edge (latest versions). If you add 'data:' to the policy, it corrects it. It is just a matter of missing information in the default config. If you add 'data:' to the CSP, it loads correctly. 'self' does not include 'data:' which is how the fonts are being loaded.

 

If you guys are using webpack by any chance for the build process, there is a known error in webpack.

[Quinntin Comer]

I was able to resolve this with the following modifications:

usr_portal.html
[[#header name="Content-Security-Policy" content="default-src 'self' data: 'unsafe-inline' https://fonts.gstatic.com https://cdnjs.cloudflare.com https://accounts.google.com; style-src 'unsafe-inline' 'self' https://cdnjs.cloudflare.com https://fonts.googleapis.com;"]]

welcome.htm:
[[#header name="Content-Security-Policy" content="default-src 'self' data: https://accounts.google.com 'unsafe-inline'; child-src 'none'; frame-src https://accounts.google.com"]]

[Vodia PBX]

16 minutes ago, Quinntin Comer said:

This is on a FRESH install in AWS. Errors happen in both Chrome and Edge (latest versions). If you add 'data:' to the policy, it corrects it. It is just a matter of missing information in the default config. If you add 'data:' to the CSP, it loads correctly. 'self' does not include 'data:' which is how the fonts are being loaded.

Yes an obvious fix would be to add blob: to it (or data?). However it should not use data. I am wondering what is triggering it to use data... It should not do that unless there are some obscure libraries at work... 

[Quinntin Comer]

Just now, Vodia PBX said:

Yes an obvious fix would be to add blob: to it (or data?). However it should not use data. I am wondering what is triggering it to use data... It should not do that unless there are some obscure libraries at work... 

Definitely a mystery for the Vodia PBX team. I have tried it from multiple computers, multiple browsers, etc.

I dont know if its something specific to the image in the AWS marketplace or not.

[Vodia PBX]

The thing is that it seems to work in our environments without the data... Anything in the inspector regarding code that does not come from the PBX? 

[Quinntin Comer]

On 9/8/2023 at 1:05 PM, Vodia PBX said:

The thing is that it seems to work in our environments without the data... Anything in the inspector regarding code that does not come from the PBX? 

Nope. This is from multiple browsers, machines, incognito, etc. maybe something specific to the AWS template, but that part I cannot really say.

[Vodia PBX]

Still a mystery. Can you private message the path to the welcome.htm?