Unmanaged Wordpress - Content Security Policy Issues
-
Hi, I have a couple of unmanaged wordpress installations and all of them have issues with content security policy settings.
I embed a number of resources on the website. E.g., I use Adobe PDF Embed API which works fine on other hosts.
But on Cloudron, any PDF embedded using the API does not load completely. In particular, links within the PDF do not work.
Ditto for videos hosted on Bunnynet and embedded on wordpress (works fine elsewhere, same site migrated to other hosts).E.g.: https://maher.ac.in/ilms
In the Browser Inspector, I get a bunch of errors related to the content security policies - particularly in loading JS files from other domains.
I tried adding custom content security policy in the security tab of the application. I tried using the CSP Generator (chrome plugin) to generate policies that I can add to the CSP in the security tab, but the page completely failed to load.
I tried adding wordpress plugins such as the 'Cookies and Content Security Policy', added all the origin domains/subdomains of the various JS files that failed to load, but nothing seems to work.I have been trying to understand the root of the issue. I would would be most grateful for any help and assistance in resolving this issue, please.
Thank you.
-
G girish moved this topic from Support on
-
@jagan by default, Cloudron doesn't set any CSP or CORS headers for apps. The apps set the appropriate CSP for themselves. The CSP setting in Cloudron is only meant to used as an extreme measure (i.e no way to change an app's hardcoded CSP).
With this mind, I would remove any custom CSP setting you have added in Cloudron dashboard. This is most likely the wrong approach.
Next, I would investigate the CSP/CORS headers sent by WordPress. Per, https://community.adobe.com/t5/acrobat-services-api-discussions/pdf-embed-api-got-error/td-p/13142824 , you need something like
Access-Control-Allow-Origin: *sent from WordPress.