search

passwordcockpit / passwordcockpit

Passwordcockpit is a simple, free, open source, self hosted, web based password manager for teams. It is made in PHP, Javascript, MySQL and it run on a docker service. It allows users with any kind of device to safely store, share and retrieve passwords, certificates, files and much more.
https://passwordcockpit.com
BSD 3-Clause "New" or "Revised" License
110 stars 18 forks source link

Add Content-Security-Policy headers #80

Closed samuelecavalleri closed 1 month ago

samuelecavalleri commented 1 year ago

Starting from the branch security-headers:

Figure out why the current Content-Security-Policy header prevents all of the assets from being loaded.

pascalwittler commented 10 months ago

I think one reason for the problem may be the nested but unescaped single quotes around 'self' in https://github.com/passwordcockpit/passwordcockpit/blob/security-headers/docker/php/apache/Dockerfile#L154.

heydenb commented 5 months ago

Could it be that the latest version is having issues with the CSP. I am running the container via docker-compose locally and the webapp gives an empty page. All js files are blocked by the CSP header.

heydenb commented 5 months ago

Could it be that the latest version is having issues with the CSP. I am running the container via docker-compose locally and the webapp gives an empty page. All js files are blocked by the CSP header.

Nevermind, I was using 1.3.4 which had the issue. That's still the version which is refered to in the sample docker-compose.yml in github.

pascalwittler commented 5 months ago

Could it be that the latest version is having issues with the CSP. I am running the container via docker-compose locally and the webapp gives an empty page. All js files are blocked by the CSP header.

See my comment + pull request above

bu3tt1 commented 1 month ago

We had to correct the escaping