GoAccess stats blocked by Content Security Policy (nginx)

short description

Loading GoAccess resources is blocked by Content Security Policy in current Firefox and partial in Edge.

correct behavior

Should not be blocked.

environment

Server OS: ubuntu

Server OS version: 20.04.1 (focal)

ISPConfig version: 3.2dev20201006

nginx version: nginx/1.18.0 (Ubuntu)

proposed fix

change header Content-Security-Policy in server/conf/nginx_vhost.conf.master for location /stats/ from

add_header Content-Security-Policy "default-src * 'self' 'unsafe-inline';";

add_header Content-Security-Policy "default-src * 'self' 'unsafe-inline' 'unsafe-eval' data:;";

references

https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/server/conf/nginx_vhost.conf.master#L172

screenshots

workaround

Add the following to nginx directives in the website options to overwrite the defaults:

location /stats/ {
  index index.html index.php;
  auth_basic "Members Only";
  auth_basic_user_file {DOCROOT}stats/.htpasswd_stats;
  add_header Content-Security-Policy "default-src * 'self' 'unsafe-inline' 'unsafe-eval' data:;";
}

Edited Oct 09, 2020 by Peter Müller