Closed gerwitz closed 1 year ago
This is only partially visible when not logged-in: https://social.gerwitz.com/
Hi !
What is your new version of Akkoma ? Their new stricter Content-policy prevent third party frontend from retrieving instance configuration. Do you see something related to CSP in your browser logs ?
EDIT: yup, it's that
The solution is to override the Content-policy header in your nginx/apache configuration, to allow style-src :)
or, if you're lazy or don't want to bother with it, you can roll back the security policy update and everything will work.
https://akkoma.dev/AkkomaGang/akkoma/commit/336d06b2a8ca75362578b1d67ea1f32a45c8edd3
If you choose the solution to edit your reverse proxy Content-Policy header, i'm interested in your solution, so I can add it to the Readme on here :)
If you choose the solution to edit your reverse proxy Content-Policy header, i'm interested in your solution, so I can add it to the Readme on here :)
I still haven't found the time to set up the content-policy, so I'm still using the solution I wrote before this.)
I've never done this kind of stuff with nginx but so far my solution is to 1) hide the Content-Security-Policy header, 2) set it again with the copy pasted original header with a change in the style-src
part:
# add style-src for mangane
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "upgrade-insecure-requests;style-src 'self' 'unsafe-inline';font-src 'self';script-src 'self' 'nonce-LbVARBmXD6txCer';connect-src 'self' https://example.com wss://example.com;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self';";
The change by itself is
style-src: 'self' 'nounce-xxxxxxxx';
becomes
style-src: 'self' 'unsafe-unline;'
Shouldn't akkoma permit mangane to work out ocf the box? Perhaps good to check with the main devs there @Cl0v1s It would make things much easier. I will try to update csp for now as for people running OTP version rolling back isnt possible.
Since they unilateraly changed this security setting, and do not seem to have any interest in supporting a frontend beside their own, I think we could just instead clearly explain how to override CSP in Mangane's documentation.
I'll try to propose something based on @AdrianPaulCarrieres's answer :)
Is there any link where akkoma devs stste such thing? I think since they now work on feature that allows frontend switch, they are more open to others
6 May 2023 18:37:32 Clovis @.***>:
Since they unilateraly changed this security setting, and do not seem to have any interest in supporting a frontend beside their own, I think we could just instead clearly explain how to override CSP in Mangane's documentation.
I'll try to propose something based on @AdrianPaulCarrieres[https://github.com/AdrianPaulCarrieres]'s answer :)
— Reply to this email directly, view it on GitHub[https://github.com/BDX-town/Mangane/issues/202#issuecomment-1537177984], or unsubscribe[https://github.com/notifications/unsubscribe-auth/ACAWQPX6IABGMIEWM5R3CSTXEZ44TANCNFSM6AAAAAAXA3PGSY]. You are receiving this because you commented.[Tracking image][https://github.com/notifications/beacon/ACAWQPVA3GMZFS4OWGDBYPTXEZ44TA5CNFSM6AAAAAAXA3PGS2WGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTS3T54YA.gif]
I read that on some comments to a open issue in the Akkoma repo, but you're right, maybe their position changed since then !
Readme updated
Hi @Cl0v1s there is a typo on the Readme : you wrote proxy_hide_header Content-Security-Policy:
with a ':' instead of proxy_hide_header Content-Security-Policy;
with a ';'
Thanks, I fixed that !
I've never done this kind of stuff with nginx but so far my solution is to 1) hide the Content-Security-Policy header, 2) set it again with the copy pasted original header with a change in the
style-src
part:# add style-src for mangane proxy_hide_header Content-Security-Policy; add_header Content-Security-Policy "upgrade-insecure-requests;style-src 'self' 'unsafe-inline';font-src 'self';script-src 'self' 'nonce-LbVARBmXD6txCer';connect-src 'self' https://example.com wss://example.com;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self';";
The change by itself is
style-src: 'self' 'nounce-xxxxxxxx';
becomesstyle-src: 'self' 'unsafe-unline;'
I used your method, the only difference is that I'm using Caddy instead of Nginx. Unfortunately, header isn't returned with the response - and issue persists
My Caddyfile rule:
social.sador.me {
log {
output file /var/log/caddy/akkoma.log
}
encode gzip
reverse_proxy akkoma:4000
header {
Content-Security-Policy "upgrade-insecure-requests; script-src 'self'; connect-src 'self' blob: https://social.sador.me wss://social.sador.me; media-src 'self' https:; img-src 'self' data: blob: https:; default-src 'none'; base-uri 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; font-src
'self'; manifest-src 'self';"
}
}
Doing a normal upgrade on my Akkoma instance to dashing-peacock (from wrestling-red-panda) resulted in dark mode rendering dark text on a dark background on most content, except the posts feed of an individual profile.