Commit 49d521e9 authored by Till Brehm's avatar Till Brehm

Fixed #5341 CSS Styles do not load in ISPConfig UI when no SSL is used

parent cc8a3e8a
......@@ -89,11 +89,11 @@ NameVirtualHost *:<tmpl_var name="vhost_port">
<IfModule mod_headers.c>
# ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
<tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
Header set X-Content-Type-Options: nosniff
Header set X-Frame-Options: SAMEORIGIN
Header set X-XSS-Protection: "1; mode=block"
Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
<tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
<IfVersion >= 2.4.7>
Header setifempty Strict-Transport-Security "max-age=15768000"
</IfVersion>
......
  • My fault on this one - I feel pretty dumb, not even considering that some folks might run ISPConfig without HTTPS.

    The CSP header could still be used on HTTP sites, just remove "; upgrade-insecure-requests" from the end. I don't know how to do that in the template language right offhand (if/else or ??), so just mentioning it for now.

    Similarly, the set-cookie header could/should still be set HTTPOnly, just drop off the 'Secure' if running ISPConfig without HTTPS.

    FWIW, the HSTS header should be fine as is, it is ignored on HTTP sites.

    Edited by Jesse Norell
  • Hi Jesse, my test servers are using https too, that's why I did not notice it earlier. I'll have a look at this to see if we can modify the options for http systems. But in general, I would say that users should just enable https. I guess we should consider disabling the option to not encrypt the UI in ISPConfig 3.2.

Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment