View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006462 | unreal | module api | public | 2024-08-28 00:49 | 2024-09-23 14:10 |
| Reporter | rafaelgrether | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| Summary | 0006462: Module API documentation website x CSP restriction | ||||
| Description | Hi Syzop! Its not specifically about module API itself, but module API documentation website (https://www.unrealircd.org/api/6/) When I search something using search field (on top-right screen), nothing happens. Inspecting error page, I see: - The 'options' directive has been replaced with the 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. - The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect. It seems, a CSP restriction from webserver. Thanks! | ||||
| Additional Information | Tested on Safari (macOS), Chrome and Firefox. | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
Thanks, I have changed:allow 'self'; options inline-script eval-script; frame-ancestors 'none' To: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'none'; Except for the main site where otherwise the API page could not load the search result (which is in a frame): default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-ancestors https://www.unrealircd.org/; We run various software that are not so CSP friendly. We could probably still do marginally better. |
|
|
Thanks Syzop! It worked! :) But I don't know if it works as expected. When I type in the search field: "access", nothing is displayed. But when I type "get_channel_access", the result is shown. Does the search field need to be on the exact term? Or would it be possible to consider something like %INPUTFIELD% ? Thanks! |
|
|
The software for that is doxygen. I read https://www.doxygen.nl/manual/searching.html. We use that 1st option which is indeed more like autosuggest behavior. I tried the 2nd option (which also looses live search support) but it doesn't work with our recent PHP, errors on some curly braces. Don't really want to do the other options... so yeah I think it will stay as is. |
|
|
Thanks for checking. No problem! Thanks syzop! |
|
|
Someone somewhere posted about some issue at some point in time related to these changes. Trying to remember.... |
|
|
Ah right it was https://www.unrealircd.org/files/dev/ws/websocket_unrealircd.html that was broken. Added connect-src wss://irc.unrealircd.org/; |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-08-28 00:49 | rafaelgrether | New Issue | |
| 2024-09-07 09:47 | syzop | Note Added: 0023329 | |
| 2024-09-07 09:47 | syzop | Note Edited: 0023329 | |
| 2024-09-07 09:48 | syzop | Note Edited: 0023329 | |
| 2024-09-10 01:33 | rafaelgrether | Note Added: 0023338 | |
| 2024-09-10 19:00 | syzop | Note Added: 0023341 | |
| 2024-09-10 19:02 | syzop | Note Edited: 0023341 | |
| 2024-09-10 19:22 | rafaelgrether | Note Added: 0023342 | |
| 2024-09-23 12:58 | syzop | Note Added: 0023375 | |
| 2024-09-23 14:10 | syzop | Note Added: 0023376 |
