Zammad blank page with chrome/edge

[motti87]

After a fresh installation, I can no longer access the page with Chrome/Edge. (I can log in and work normally with Firefox, and there were no errors during the installation process.) The page remains blank and displays the following errors:

– Content Security Policy blocks inline execution of scripts and stylesheets

Refused to execute inline script because it violates the following Content Security Policy directive: “script-src *”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-DDOFFxFZ+6vopqhWBYh1vLBG96qyi1TnFD77q6SaBiE=’), or a nonce (‘nonce-…’) is required to enable inline execution.

Refused to execute inline script because it violates the following Content Security Policy directive: “script-src *”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Xm9+UbE9a5ZWWwqa5EmASox0HS8xJgaAmgq2f7VrXOQ=’), or a nonce (‘nonce-…’) is required to enable inline execution.

Refused to apply inline style because it violates the following Content Security Policy directive: “style-src *”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-OscGv6ROJz45t1NaoBCVRmnvap1ElR24EWQuJWrwaQc=’), or a nonce (‘nonce-…’) is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the ‘unsafe-hashes’ keyword is present.

Refused to apply inline style because it violates the following Content Security Policy directive: “style-src *”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-OscGv6ROJz45t1NaoBCVRmnvap1ElR24EWQuJWrwaQc=’), or a nonce (‘nonce-…’) is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the ‘unsafe-hashes’ keyword is present.

I can log in and work normally with Firefox, and there were no errors during the installation process.

[jppw]

Same problem here.

Chrome / Brave arent working Android Browser isnt working too. Firefox is working

Zammad itself says: https://community.zammad.org/t/issue-with-display-in-chrome-edge-page-remains-blank/12254

The installation script you mentioned is not an official installation method of Zammad. The last time I had a look at that script it did some sketchy host file blocking. I have not qualified if it does change files, if it does, there might be your problem. Please use consider cross checking this issue by installing Zammad on a machine per documnetation: https://docs.zammad.org/en/latest/install/package.html 6

[jppw]

I commented out this block for a test and then it works in Brave/Chrome:

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *"; add_header Referrer-Policy "strict-origin"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"; add_header Strict-Transport-Security "max-age=31536000" always;

[jppw]

So its this line:

add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";

If i comment only this one out, it works fine.

[motti87]

So its this line:

add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";

If i comment only this one out, it works fine.

Thank´s for your work. I will try it on monday.

(If someone else is searching for the Line: https://github.com/bashclub/zamba-lxc-toolbox/blob/d0693c82e211d07dc75b71baec3351cefd2861b2/src/zammad/install-service.sh#L106 )

[thorstenspille]

Fixed with use of the contributor shipped nginx zammad_ssl.conf Currently in dev, will be released soon.