Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

CSP error in admin panel + security warning from angular-translate

Scheduled Pinned Locked Moved Solved Support
cspfirefox
11 Posts 4 Posters 77 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W Offline
    W Offline
    warg
    wrote on last edited by girish
    #1

    Hello,

    I just noticed that some CSP policy triggers an error in Firefox's console and additionally I see a security warning coming from angular-translate:

    23fe06d8-f9ab-4c7b-87a1-c78649c03647-grafik.png

    Can you check this please?

    Thank you.

    Best Regards,

    1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #2

    @warg Not seeing this in our Cloudrons . Are you seeing this with your browser in the demo cloudron - https://my.demo.cloudron.io/#/apps ( username: cloudron password: cloudron )

    1 Reply Last reply
    0
  • W Offline
    W Offline
    warg
    wrote on last edited by
    #3

    Yes, I see it there as well:

    grafik.png

    1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by girish
    #4

    I suspect this is some browser extension or something else then. Is anyone else seeing this ? What's your firefox version? I run stable (113.0.2 (64-bit)), so maybe a version mismatch in testing?

    Edit: tried in chrome as well, no errors.

    1 Reply Last reply
    0
  • nebulonN Online
    nebulonN Online
    nebulon Staff
    wrote on last edited by
    #5

    I also can't reproduce this on firefox anywhere. Can you try to isolate this by disableing adb and no-script (if that is the one I can see in the extension icons) extension temporarily?

    1 Reply Last reply
    0
  • W Offline
    W Offline
    warg
    wrote on last edited by warg
    #6

    I just turned off Adblock Plus and NoScript. The CSP error is gone but the security warning is still there:

    grafik.png

    This happens with Firefox v113.0.2 (64-Bit).

    necrevistonnezrN 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #7

    The warning is harmless but possibly should be fixed... I think it's because we allow our translations to be "html" and not just text. This is intentional, I guess. @nebulon do you know if there is a way to get rid of the warning?

    1 Reply Last reply
    0
  • necrevistonnezrN Offline
    necrevistonnezrN Offline
    necrevistonnezr
    replied to warg on last edited by
    #8

    @warg This is not a "security warning" - it's one of those millions of (annoying) notices Firefox spurts out on almost every website.

    1 Reply Last reply
    0
  • nebulonN Online
    nebulonN Online
    nebulon Staff
    wrote on last edited by
    #9

    I think the zoom warning comes from the fact that we use a very old bootstrap css theme.

    1 Reply Last reply
    0
  • W Offline
    W Offline
    warg
    wrote on last edited by
    #10

    Maybe to clarify it: I don't care about the zoom warning. It's just some css thing. The 2nd and 3rd message were what looks important to me. The CSP error is caused by a Firefox extension so shouldn't matter until I checked that the add-on is right. The warning regarding the insecure translations should be checked. If you say this comes from the fact that translations are html-enabled loaded, maybe it makes sense to keep the HTML part hardcoded and just load translations as plain-text. If that's possible is unknown to me.

    1 Reply Last reply
    0
  • nebulonN Online
    nebulonN Online
    nebulon Staff
    wrote on last edited by
    #11

    I don't see how this can be actually used for malicous action regarding the translations, since those are coming in a well-known format and from your server itself, so unless someone intercepts or changes that on the server, nothing much can happen (and if someone can do that, well there are other things one should be worried about)

    If there are serious concerns around a real security issue, would be great to have that explained if someone is aware.

    1 Reply Last reply
    0
  • girishG girish marked this topic as a question on
  • girishG girish has marked this topic as solved on

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.