Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Unmanaged Wordpress - Content Security Policy Issues

    WordPress (Developer)
    2
    2
    28
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jagan last edited by jagan

      Hi, I have a couple of unmanaged wordpress installations and all of them have issues with content security policy settings.

      I embed a number of resources on the website. E.g., I use Adobe PDF Embed API which works fine on other hosts.
      But on Cloudron, any PDF embedded using the API does not load completely. In particular, links within the PDF do not work.
      Ditto for videos hosted on Bunnynet and embedded on wordpress (works fine elsewhere, same site migrated to other hosts).

      E.g.: https://maher.ac.in/ilms

      In the Browser Inspector, I get a bunch of errors related to the content security policies - particularly in loading JS files from other domains.

      I tried adding custom content security policy in the security tab of the application. I tried using the CSP Generator (chrome plugin) to generate policies that I can add to the CSP in the security tab, but the page completely failed to load.
      I tried adding wordpress plugins such as the 'Cookies and Content Security Policy', added all the origin domains/subdomains of the various JS files that failed to load, but nothing seems to work.

      I have been trying to understand the root of the issue. I would would be most grateful for any help and assistance in resolving this issue, please.

      Thank you.

      girish 1 Reply Last reply Reply Quote 1
      • Moved from Support by  girish girish 
      • girish
        girish Staff @jagan last edited by

        @jagan by default, Cloudron doesn't set any CSP or CORS headers for apps. The apps set the appropriate CSP for themselves. The CSP setting in Cloudron is only meant to used as an extreme measure (i.e no way to change an app's hardcoded CSP).

        With this mind, I would remove any custom CSP setting you have added in Cloudron dashboard. This is most likely the wrong approach.

        Next, I would investigate the CSP/CORS headers sent by WordPress. Per, https://community.adobe.com/t5/acrobat-services-api-discussions/pdf-embed-api-got-error/td-p/13142824 , you need something like Access-Control-Allow-Origin: * sent from WordPress.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Powered by NodeBB