Recommended cspheader leads to font load error

PrivateBin / PrivateBin

A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES.

https://privatebin.info/

Other

6.55k stars 814 forks source link

Recommended cspheader leads to font load error #1425

Closed HLeithner closed 1 month ago

HLeithner commented 1 month ago

Did you use the FAQ section?

[X] Yes, I have read the FAQ and I found no solution/answer there.

The recommended CSP header includes a directive font-src: 'self', this doesn't allow to load fonts which are loaded with a data: url.

Steps to reproduce

open your developer console
goto https://privatebin.net
check the developer console
find 'Refused to load the font '' because it violates the following Content Security Policy directive: "font-src 'self'".'

What happens

Some fonts are not loaded

What should happen

Loading the fonts or show no error by removing the data: fonts

Additional information

Basic information

Server address:

Server OS:

Webserver:

Browser: Vivaldi 6.9.3447.46

PrivateBin version: 1.7.4

I can reproduce this issue on https://privatebin.net: Yes

rugk commented 1 month ago

You likely switched to Bootstrap 5 theme, did not you?

Yes, you need to adjust the CSP. And this is noted in the config file template: https://github.com/PrivateBin/PrivateBin/blob/702831ea38199ad19884b758faade176bae1f959/cfg/conf.sample.php#L98-L99

And this is a dupe of https://github.com/PrivateBin/PrivateBin/issues/1362 and keeps getting re-asked. I am about to put that info into the FAQ, on the other hand, it will be pretty much solved/obsolete once we switch to Bootstrap5 by default. :upside_down_face:

rugk commented 1 month ago

Duplicate of https://github.com/PrivateBin/PrivateBin/issues/1362

HLeithner commented 1 month ago

thanks, didn't saw this issue, anyway changing the csp headers ends in an X on https://privatebin.info/directory/ for people which are interested to have this check mark full filled, it's an issue.

elrido commented 1 month ago

@HLeithner the issue with the differing CSPs got resolved in directory 0.11.0 and since then bootstrap5 templated instances are still getting the checkmark if they use either the default or the relaxed CSP and also the older versions get their recommended CSPs applied to.

HLeithner commented 1 month ago

thanks, make sense. I did a more in deep check and found out that it's not privatebin... instead a browser extension... sry for the noise