Content-Security-Policy block my alias for on cloud static content

DarkCenobyte · 2018-12-24 12:57:15 UTC

Hello,

I use Mastodon with a Cloud Storage using a Minio server (as a gateway with OSS, the S3 from Alibaba Cloud).
I set an alias files.mydomain.tld

The image can be display in my browser by using directly the URL with files.mydomain.tld/…/image.png
But they can’t be display in the mastodon frontend.

My mastodon website is in https, but my alias can’t have https for now, so I would like to authorize simple http on it for now.

My browser display a message about the Content-Security-Policy blocking the assets, I find it was defined into live/config/initializers/content_security_policy.rb

But I don’t know how to override “Rails.configuration.action_controller.asset_host” content with my asset URL if it’s possible without editing the code. (I try to edit it after doing a backup, but after rebuild assets/… it didn’t seems to be applied as I expected…)

(The files are correctly uploaded to OSS, and the links used are valids to be display, I’m only blocked by the CSR here…)

How can I fix this?

edit:
For now, it works by adding another url after the assets_url into the content_security_policy.rb , but I don’t know if it’s easily maintainable, also, I tried CDN_HOST env variable too, but even if it change the CSP, others stuffs breaks…

nightpool · 2019-01-06 18:18:02 UTC

We will not support allowing http domains into the content-security-policy, it creates an unacceptable security risk

How did you set up your OSS “alias” in the first place? Did you modify the code? Any supported asset configuration (like using environment variables to set the paperclip asset host) should work out of the box automatically.

DarkCenobyte · 2019-01-06 19:48:32 UTC

During the installation, when the wizard ask “Do you want to store uploaded files on the cloud?”, I define Minio as provider, because I setup a Minio server locally, running in gateway mode with OSS.

Then, I answered yes to the “Do you want to access the uploaded files from your own domain?” question.

My domain use HTTPS for the mastodon frontend, but in this configuration case, the behavior of the instance is to try to get the files on https://files.mydomain.tld , but OSS isn’t like AWS S3, and by default is in HTTP only mode.

I tried to switch it to HTTPS, but as I use Let’s Encrypt, it’s difficult to update the OSS certificate used through CLI, and you need to upload one…
If I try to go further this way, I need to:
1- I would need to got a wildcard subdomain for my certificate (Let’s Encrypt can do this, but not in it’s default configuration) or add a web server listening files.mydomain.tld on port 80 to achieve the verification check with Certbot.
2- I need to be able to upload by CRON the new certificate to the OSS configuration, and by CLI, … Well, there is nothing to do this in the aliyun-cli OSS commands, or it’s undocumented…

So, yes, finally, I do a small edit on my Mastodon instance code (file: live/config/initializers/content_security_policy.rb ), to do this:
cloud_host = “http://#{ENV[‘S3_ALIAS_HOST’]}”

Then I add my cloud_host variable on the p.font_src, p.img_src, p.style_src, p.media_src and p.manifest_src lines.

I know it’s ugly (especially the way I declare this cloud_host variable…), but because I didn’t find a way to handle this, I apply this as a “fast and easy” fix on my instance.

nightpool · 2019-01-06 20:15:29 UTC

Well, I’m glad you’ve found a setup that works for you. However, we don’t support using insecure domains for a s3 host, so I don’t think there’s anything we can do to make this easier.

nightpool · 2019-01-09 20:15:42 UTC

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.