Admin Tools

Tuesday, 26 April 2022 13:36 CDT

tpollock

I've tried using your site search with Duck Duck Go, but every result I click on gives me your "Should have taken that left turn at Albuquerque" 404 message.

We are suddenly getting errors like the following that are preventing scripts from loading:

Refused to load the script 'https://code.jquery.com/jquery-3.6.0.min.js' because it violates the following Content Security Policy directive: "script-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Refused to load the stylesheet 'https://cdn.jsdelivr.net/npm/[email protected]/dist/css/uikit.min.css' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

videoarrayupload.html:1 Refused to load the script 'https://cdn.jsdelivr.net/npm/[email protected]/dist/js/uikit.min.js' because it violates the following Content Security Policy directive: "script-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

videoarrayupload.html:1 Refused to load the script 'https://cdn.jsdelivr.net/npm/[email protected]/dist/js/uikit-icons.min.js' because it violates the following Content Security Policy directive: "script-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

videoarrayupload.html:26 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-Imz7vcmP9zC0GRFvMvBgoCj9Q9brMLDnNhL0A9t+GUs='), or a nonce ('nonce-...') is required to enable inline execution.

I am not sure why this started happening today. Everything worked fine yesterday. Is there something I can change or add to htaccess Maker in Admin Tools to fix this problem?

Thank you for your help!

Anthony Pollock

Henrico County Public Library, Henrico, Virginia

Wednesday, 27 April 2022 02:13 CDT

nicholas

This is not something caused by Admin Tools' .htaccess Maker. We only add a Content-Security-Policy header to your static media files on your site, not your HTML document. You must have used a third party plugin which adds a Content-Security-Policy header or added one manually in the custom .htaccess code sections in the .htaccess Maker. We do not provide support for third party plugins or custom code.

First make sure that you have not added any Content-Security-Policy header code in the .htaccess Maker. If you have, remove it and regenerate the .htaccess.

If that was not the case, review the plugins you have added recently. I know that for Joomla 3 there's a back port of the HTTP security headers feature of Joomla 4 by Tobias Zulauf on the Joomla Extensions Directory. If you installed it and activated it with the default settings then, yes, all JS, CSS, fonts etc hosted externally to your site will immediately stop working; that's what Content-Security-Policy headers do and you need to know how your site works and which exemptions to add. If you don't understand any of that, disable and uninstall the plugin.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 27 April 2022 07:32 CDT

tpollock

I checked for any plugins or components for HTTP security headers, but did not find anything. I have not added any plugins or components recently, but I have updated Joomla, so who knows. I checked the htaccess Maker again and I had the folder listed in "Frontend directories where file type exceptions are allowed" and in "Allow direct access, including .php files, to these directories". I removed it from "Frontend directories where file type exceptions are allowed" and the issue has been resolved. My apps in the folder are now running as expected. I'm not sure how this fixed the content security policy issue, but the apps are now working.

Thank you for your help.

Wednesday, 27 April 2022 07:40 CDT

nicholas

It looks like you have an extension which loads an HTML file (the name is videoarrayupload.html but the information you gave me don't tell me where it is) which tries to load these external resources. You need to find the extension and tell its developer that what they do is all-caps BAD. This is Joomla, not bloody WordPress! Loading resources must always go through Joomla's HtmlDocument class and the HTML output must always go through Joomla itself, not an arbitrary HTML file. The one and only case where an exception is justified is TinyMCE plugins — and that's only because TinyMCE is a JavaScript application which is shoehorned into working with Joomla.

However, your solution is wrong. You must NOT remove anything from either item you modified, it will only cause other things to break.

The correct solution is setting “Disable client-side risky behavior in frontend static content” to No. That's why I said earlier that ‘We only add a Content-Security-Policy header to your static media files on your site’. This is the option which adds the Content-Security-Policy header to files under the media folder etc.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support

#37025 Add Content-Security-Policy to htaccess using Admin Tools

This is a public ticket

Environment Information

Tuesday, 26 April 2022 13:36 CDT

Wednesday, 27 April 2022 02:13 CDT

Wednesday, 27 April 2022 07:32 CDT

Wednesday, 27 April 2022 07:40 CDT

Please wait

Support Information