search

BDX-town / Mangane

Alternative frontend for Akkoma
https://bdx.town
GNU Affero General Public License v3.0
155 stars 26 forks source link

dashing-peacock upgrade: dark is all dark #202

Closed gerwitz closed 1 year ago

gerwitz commented 1 year ago

Doing a normal upgrade on my Akkoma instance to dashing-peacock (from wrestling-red-panda) resulted in dark mode rendering dark text on a dark background on most content, except the posts feed of an individual profile.

gerwitz commented 1 year ago

This is only partially visible when not logged-in: https://social.gerwitz.com/

Cl0v1s commented 1 year ago

Hi !

What is your new version of Akkoma ? Their new stricter Content-policy prevent third party frontend from retrieving instance configuration. Do you see something related to CSP in your browser logs ?

EDIT: yup, it's that

image
Cl0v1s commented 1 year ago

The solution is to override the Content-policy header in your nginx/apache configuration, to allow style-src :)

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

crisukbot commented 1 year ago

or, if you're lazy or don't want to bother with it, you can roll back the security policy update and everything will work.

https://akkoma.dev/AkkomaGang/akkoma/commit/336d06b2a8ca75362578b1d67ea1f32a45c8edd3

Cl0v1s commented 1 year ago

If you choose the solution to edit your reverse proxy Content-Policy header, i'm interested in your solution, so I can add it to the Readme on here :)

crisukbot commented 1 year ago

If you choose the solution to edit your reverse proxy Content-Policy header, i'm interested in your solution, so I can add it to the Readme on here :)

I still haven't found the time to set up the content-policy, so I'm still using the solution I wrote before this.)

AdrianPaulCarrieres commented 1 year ago

I've never done this kind of stuff with nginx but so far my solution is to 1) hide the Content-Security-Policy header, 2) set it again with the copy pasted original header with a change in the style-src part:

    # add style-src for mangane
    proxy_hide_header Content-Security-Policy;
    add_header Content-Security-Policy "upgrade-insecure-requests;style-src 'self' 'unsafe-inline';font-src 'self';script-src 'self' 'nonce-LbVARBmXD6txCer';connect-src 'self' https://example.com wss://example.com;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self';";

The change by itself is style-src: 'self' 'nounce-xxxxxxxx'; becomes style-src: 'self' 'unsafe-unline;'

muppeth commented 1 year ago

Shouldn't akkoma permit mangane to work out ocf the box? Perhaps good to check with the main devs there @Cl0v1s It would make things much easier. I will try to update csp for now as for people running OTP version rolling back isnt possible.

Cl0v1s commented 1 year ago

Since they unilateraly changed this security setting, and do not seem to have any interest in supporting a frontend beside their own, I think we could just instead clearly explain how to override CSP in Mangane's documentation.

I'll try to propose something based on @AdrianPaulCarrieres's answer :)

muppeth commented 1 year ago

Is there any link where akkoma devs stste such thing? I think since they now work on feature that allows frontend switch, they are more open to others

6 May 2023 18:37:32 Clovis @.***>:

Since they unilateraly changed this security setting, and do not seem to have any interest in supporting a frontend beside their own, I think we could just instead clearly explain how to override CSP in Mangane's documentation.

I'll try to propose something based on @AdrianPaulCarrieres[https://github.com/AdrianPaulCarrieres]'s answer :)

— Reply to this email directly, view it on GitHub[https://github.com/BDX-town/Mangane/issues/202#issuecomment-1537177984], or unsubscribe[https://github.com/notifications/unsubscribe-auth/ACAWQPX6IABGMIEWM5R3CSTXEZ44TANCNFSM6AAAAAAXA3PGSY]. You are receiving this because you commented.[Tracking image][https://github.com/notifications/beacon/ACAWQPVA3GMZFS4OWGDBYPTXEZ44TA5CNFSM6AAAAAAXA3PGS2WGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTS3T54YA.gif]

Cl0v1s commented 1 year ago

I read that on some comments to a open issue in the Akkoma repo, but you're right, maybe their position changed since then !

Cl0v1s commented 1 year ago

Readme updated

mmai commented 1 year ago

Hi @Cl0v1s there is a typo on the Readme : you wrote proxy_hide_header Content-Security-Policy: with a ':' instead of proxy_hide_header Content-Security-Policy; with a ';'

Cl0v1s commented 1 year ago

Thanks, I fixed that !

sadorowo commented 6 months ago

I've never done this kind of stuff with nginx but so far my solution is to 1) hide the Content-Security-Policy header, 2) set it again with the copy pasted original header with a change in the style-src part:

    # add style-src for mangane
    proxy_hide_header Content-Security-Policy;
    add_header Content-Security-Policy "upgrade-insecure-requests;style-src 'self' 'unsafe-inline';font-src 'self';script-src 'self' 'nonce-LbVARBmXD6txCer';connect-src 'self' https://example.com wss://example.com;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self';";

The change by itself is style-src: 'self' 'nounce-xxxxxxxx'; becomes style-src: 'self' 'unsafe-unline;'

I used your method, the only difference is that I'm using Caddy instead of Nginx. Unfortunately, header isn't returned with the response - and issue persists

My Caddyfile rule:

social.sador.me {
    log {
        output file /var/log/caddy/akkoma.log 
    }

    encode gzip
    reverse_proxy akkoma:4000

    header {
        Content-Security-Policy "upgrade-insecure-requests; script-src 'self'; connect-src 'self' blob: https://social.sador.me wss://social.sador.me; media-src 'self' https:; img-src 'self' data: blob: https:; default-src 'none'; base-uri 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; font-src
'self'; manifest-src 'self';"
    }
}