search

WeblateOrg / weblate

Web based localization tool with tight version control integration.
https://weblate.org/
GNU General Public License v3.0
4.57k stars 1.01k forks source link

Add support for customizing Content Security Policy #3524

Closed maicol07 closed 4 years ago

maicol07 commented 4 years ago

Describe the bug After update to 3.11.2 console gives this error (italian): Content Security Policy: Il caricamento di una risorsa su https://ajax.cloudflare.com/cdn-cgi/scripts/7089c43e/cloudflare-static/rocket-loader.min.js è stato bloccato dalle impostazioni della pagina (“script-src”). I think this error blocks dropdowns

To Reproduce Steps to reproduce the behavior:

  1. Update weblate to 3.11.2
  2. Open console in browser (F12)
  3. See error

Server configuration and status

 * Weblate: 3.11.2
 * Django: 2.2.5
 * siphashc: 1.2
 * Whoosh: 2.7.4
 * translate-toolkit: 2.4.0
 * lxml: 4.4.1
 * Pillow: 6.2.1
 * bleach: 3.1.0
 * six: 1.14.0
 * python-dateutil: 2.8.1
 * social-auth-core: 3.2.0
 * social-auth-app-django: 3.1.0
 * django-crispy-forms: 1.8.1
 * oauthlib: 3.1.0
 * django-compressor: 2.3
 * djangorestframework: 3.10.3
 * django-appconf: 1.0.3
 * user-agents: 2.0
 * filelock: 3.0.12
 * setuptools: 41.2.0
 * jellyfish: 0.7.2
 * openpyxl: 2.6.3
 * celery: 4.3.0
 * kombu: 4.6.7
 * celery-batches: 0.2
 * translation-finder: 1.7
 * html2text: 2019.9.26
 * pycairo: 1.18.1
 * pygobject: 3.34.0
 * diff-match-patch: 20181111
 * requests: 2.22.0
 * django-redis: 4.10.0
 * hiredis: 1.0.1
 * sentry_sdk: 0.14.1
 * Cython: 0.29.14
 * misaka: 2.1.1
 * GitPython: 3.0.5
 * borgbackup: 1.1.10
 * Python: 3.6.8
 * Git: 2.17.1
 * psycopg2-binary: 2.8.3
 * phply: 1.2.5
 * chardet: 3.0.4
 * ruamel.yaml: 0.16.5
 * zeep: 3.4.0
 * aeidon: 1.6.0
 * hub: 2.17.1
 * Database backends: django.db.backends.postgresql
 * Cache backends: default:RedisCache, avatar:FileBasedCache
 * Email setup: django.core.mail.backends.smtp.EmailBackend: mail.maicol07.it
 * Celery: redis://localhost:6379, redis://localhost:6379, regular
 * Platform: Linux 5.5.5-050505-generic (x86_64)
--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/89067112-add-support-for-customizing-content-security-policy?utm_campaign=plugin&utm_content=tracker%2F253393&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F253393&utm_medium=issues&utm_source=github).
nijel commented 4 years ago

Either disable third party (Cloudflare) changing Weblate content, or patch Weblate to allow custom CSP modifications - this is currently not supported. Related code is here: https://github.com/WeblateOrg/weblate/blob/master/weblate/middleware.py#L66

And I don't think this has anything to do with upgrade, this code is there for years.

maicol07 commented 4 years ago

Cloudflare disabled, Weblate works. Will wait for that function support

deboyblog commented 4 years ago

4194

github-actions[bot] commented 4 years ago

Thank you for your report, the issue you have reported has just been fixed.