homer icon indicating copy to clipboard operation
homer copied to clipboard

Published 20 hours ago verified publisher icon bastienwirtz

Refused to create a worker from 'https://*/sw.js' because it violates the following Content Security Policy directive: "worker-src 'none'"

Open tunloop opened this issue 2 years ago • 2 comments

Just attempted to install the latest homer dashboard behind NGINX and all the web server files are loaded by the browser except registerSW.js fails to run.

Server: Debian 11, NGINX 1.18 Client: Chrome 104.0.5112.101 (Official Build)

NGINX Site config:

server {
        listen 443 ssl http2;
        server_name _;
        include /etc/nginx/snippets/ssl_params.conf;
        location / {
                root /var/www/homer/;
        }
}

ls -l /var/www/homer/

total 64
drwxr-xr-x 4 www-data www-data  4096 Aug 19 17:07 assets
-rw-r--r-- 1 www-data www-data   729 Jul 15 17:08 index.html
-rw-r--r-- 1 www-data www-data 27504 Jul 15 17:08 logo.png
-rw-r--r-- 1 www-data www-data   134 Jul 15 17:08 registerSW.js
drwxr-xr-x 2 www-data www-data  4096 Jul 15 17:08 resources
-rw-r--r-- 1 www-data www-data  2866 Jul 15 17:08 sw.js
-rw-r--r-- 1 www-data www-data 15025 Jul 15 17:08 workbox-c1760cce.js

Browser Load: error

tunloop avatar Aug 19 '22 21:08 tunloop

What is in your /etc/nginx/snippets/ssl_params.conf? Seems you're setting a custom csp which blocks the service worker.

fbartels avatar Aug 20 '22 05:08 fbartels

What is in your /etc/nginx/snippets/ssl_params.conf? Seems you're setting a custom csp which blocks the service worker.

I am not declaring any extra security headers there?

/etc/nginx/snippets/ssl_params.conf

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
#
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

Also, here is nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
        worker_connections 768;
        # multi_accept on;
}
http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        client_body_buffer_size 15K;
        client_header_buffer_size 15k;
        client_max_body_size 700000M;
        large_client_header_buffers 2 15k;

        ##
        # Extra Security
        ##
        add_header Allow "GET, POST, HEAD" always;
        server_tokens off;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/sites-enabled/*;
}

tunloop avatar Aug 20 '22 13:08 tunloop