Checkup page complains about Content-Security-Policy settings

meaz

Cryptpad works fine, but I get an error when checking my configuration with https://cryptpad.mydomain/checkup/

https://cryptpad.server.org/sheet/inner.html was served with incorrect Content-Security-Policy headers.

A value of "'self' https: vector:" was expected for the frame-ancestors directive. This rule determines which sites can embed content from this instance in an iframe.

but the test also tells me:

{
 "default-src": "'none'",
 "child-src": "https://server.org",
 "worker-src": "'self'",
 "media-src": "blob:",
 "style-src": "'unsafe-inline' 'self' https://server.org",
 "script-src": "'self' 'unsafe-eval' 'unsafe-inline' resource: https://server.org",
 "connect-src": "'self' https://cryptpad.server.org blob: wss://server.org https://sandbox.server.org",
 "font-src": "'self' data: https://server.org",
 "img-src": "'self' data: blob: https://server.org",
 "frame-src": "'self' https://sandbox.server.org blob:",
 "frame-ancestors": "'self' https://server.org"
}

Any idea why?

Mathilde

Hello,

Thanks for taking your configuration issue over here!

You may have activated embedding from your instance admin settings (at https://your-instance.org/admin/#general).

Enable remote embedding setting

If you indeed did so, you'll need to adapt your Nginx configuration file (lines 128-133):

    # frame-ancestors specifies which origins can embed your CryptPad instance
    # this must include 'self' and your main domain (over HTTPS) in order for CryptPad to work
    # if you have enabled remote embedding via the admin panel then this must be more permissive.
    # note: cryptpad.fr permits web pages served via https: and vector: (element desktop app)
    set $frameAncestors "'self' https://${main_domain}";
    # set $frameAncestors "'self' https: vector:";

Hope this helps!

meaz

Thanks a lot, it is fixed now.

We had to set:
set $frameAncestors "'self' https: vector:";
instead of
set $frameAncestors "'self' https://${main_domain}";

Another question though: how can the "remote embedding" be enabled without using the admin panel ? I can't find where in the config file.

Mathilde

You're welcome! Glad to read you managed to make it work. 😊

Regarding your other question I don't quite understand. What are you trying to achieve? Remote embedding should be enabled (or disabled) from the admin panel.

Our documentation explain how to do it: https://docs.cryptpad.org/en/admin_guide/admin_panel.html#enable-remote-embedding

meaz

Mathilde

We use Ansible to deploy cryptpad and update it on our server. So we have made the config.js file as a template which allows us to change settings directly there, without using the admin panel.
So my question is: can this remote embedding option be enabled directly into theconfig.js file?

Mathilde

Can you create another thread for this? Because I expect you won't be the only one trying to deploy CryptPad using Ansible. 😊