unsafe-inline header in /etc/apache2/sites-available/https_gluu.conf breaks javascript pop-up for OpenID Connect Client edit page

By: Patrick Ethier user 14 Feb 2017 at 10:07 a.m. CST

5 Responses
Patrick Ethier gravatar
Go to the OpenID Connect and try and add a client (open the "Browser developer console"). Trying to do anything that requires a pop-up (adding scope, adding request type, etc.) throws an unsafe-inline error in the browser's debug console. Edit /etc/apache2/sites-available/https_gluu.conf, comment out the line: ``` Header always set Content-Security-Policy "default-src 'self' ``` Restart apache and try again, errors are gone.
OS Version : N/A
closed

Answers

By Michael Schwartz Account Admin 14 Feb 2017 at 5:22 p.m. CST

Copy
Michael Schwartz gravatar
Interesting, but keep in mind that the admin console is not user facing. Those content security settings are mainly to protect the login page. I'm not sure if this is something we should address. If you have any other thoughts about what we should do about it, please post.

By Patrick Ethier user 14 Feb 2017 at 5:27 p.m. CST

Copy
Patrick Ethier gravatar
Thanks Michael... Agreed, but right now, based on your install script/RPM/DEB packages for the community edition, oxTrust is being exposed through the same Apache HTTPD configuration/ reverse proxy as the identity app. I'd suggest you guys split up the packaging and/or configure the install script to provide two different virtual hosts out of the box on different ports maybe??? (That way, one virtual host can have the header directive set and the other not?)

By Patrick Ethier user 14 Feb 2017 at 5:28 p.m. CST

Copy
Patrick Ethier gravatar
This being said, is there any documentation on decoupling the admin interface from the user level stuff anywhere? It doesn't seem like there's a link in the overall docs (there might be in the source tree but I haven't found it).

By Michael Schwartz Account Admin 14 Feb 2017 at 5:30 p.m. CST

Copy
Michael Schwartz gravatar
yes, that's true. But the apache config is just a starting point. Managing apache httpd is pretty standard stuff, as is using a different ethernet interface to host the admin interface.

By Patrick Ethier user 14 Feb 2017 at 5:38 p.m. CST

Copy
Patrick Ethier gravatar
Ok, so isolating ``` <Location /oxauth> ProxyPass http://localhost:8081/oxauth retry=5 disablereuse=On ProxyPassReverse http://localhost:8081/oxauth Header set Access-Control-Allow-Origin "*" Order allow,deny Allow from all </Location> ``` Into it's own virtualhost on a different interface (or IP) should work without modifying anything else?

Post an answer