CSP error in admin panel + security warning from angular-translate

warg

Hello,

I just noticed that some CSP policy triggers an error in Firefox's console and additionally I see a security warning coming from angular-translate:

Can you check this please?

Thank you.

Best Regards,

girish

@warg Not seeing this in our Cloudrons . Are you seeing this with your browser in the demo cloudron - https://my.demo.cloudron.io/#/apps ( username: cloudron password: cloudron )

warg

Yes, I see it there as well:

girish

I suspect this is some browser extension or something else then. Is anyone else seeing this ? What's your firefox version? I run stable (113.0.2 (64-bit)), so maybe a version mismatch in testing?

Edit: tried in chrome as well, no errors.

nebulon

I also can't reproduce this on firefox anywhere. Can you try to isolate this by disableing adb and no-script (if that is the one I can see in the extension icons) extension temporarily?

warg

I just turned off Adblock Plus and NoScript. The CSP error is gone but the security warning is still there:

This happens with Firefox v113.0.2 (64-Bit).

girish

The warning is harmless but possibly should be fixed... I think it's because we allow our translations to be "html" and not just text. This is intentional, I guess. @nebulon do you know if there is a way to get rid of the warning?

necrevistonnezr

@warg This is not a "security warning" - it's one of those millions of (annoying) notices Firefox spurts out on almost every website.

nebulon

I think the zoom warning comes from the fact that we use a very old bootstrap css theme.

warg

Maybe to clarify it: I don't care about the zoom warning. It's just some css thing. The 2nd and 3rd message were what looks important to me. The CSP error is caused by a Firefox extension so shouldn't matter until I checked that the add-on is right. The warning regarding the insecure translations should be checked. If you say this comes from the fact that translations are html-enabled loaded, maybe it makes sense to keep the HTML part hardcoded and just load translations as plain-text. If that's possible is unknown to me.

nebulon

I don't see how this can be actually used for malicous action regarding the translations, since those are coming in a well-known format and from your server itself, so unless someone intercepts or changes that on the server, nothing much can happen (and if someone can do that, well there are other things one should be worried about)

If there are serious concerns around a real security issue, would be great to have that explained if someone is aware.