-
-
Notifications
You must be signed in to change notification settings - Fork 309
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Enhancement] Support landing page image in security headers #1576
Comments
For security reasons, Lychee now has a fairly restrictive Content Security Policy. You can add an exception for your image by editing the following file: Lychee/config/secure-headers.php Lines 374 to 395 in 0fc21a4
I hope this helps! |
Hello, thank you for your feedback. It's a way to do it I'm sure but for me using docker I'm not sure it's very practical. If mount a file to overwrite this one and the file change in the futur I will have trouble. Is it not possible to allow automatically the domain used in the field landing_background or having an other field of allowed sources ? |
This probably will require the use of |
This would be good as well for things like tracking scripts (eg Google Analytics), which right now are non-trivial to do in docker. |
Detailed description of the problem [REQUIRED]
I try to change the landing_background value with external URL in the advanced settings but the image is not loading.
Steps to reproduce the issue
Steps to reproduce the behavior:
Refused to load the image 'https://static.mydomain.ch/lychee/background.jpg' because it violates the following Content Security Policy directive: "img-src 'self' https://maps.wikimedia.org/osm-intl/ https://a.tile.osm.org/ https://b.tile.osm.org/ https://c.tile.osm.org/ https://a.tile.openstreetmap.de/ https://b.tile.openstreetmap.de/ https://c.tile.openstreetmap.de/ https://a.tile.openstreetmap.fr/osmfr/ https://b.tile.openstreetmap.fr/osmfr/ https://c.tile.openstreetmap.fr/osmfr/ https://a.osm.rrze.fau.de/osmhd/ https://b.osm.rrze.fau.de/osmhd/ https://c.osm.rrze.fau.de/osmhd/ data:".
Screenshots
If applicable, add screenshots to help explain your problem.
Output of the diagnostics [REQUIRED]
(Settings => Diagnostics or https://example.com/Diagnostics or
php artisan lychee:diagnostics
)`Diagnostics
-------
Warning: Dropbox import not working. dropbox_key is empty.
Warning: Default timezone not properly set; you might experience strange results when importing photos without explicit EXIF timezone
Browser and system
Comment
I try to add landing_background accessible through URL of an other sub domain in https. Chrome refuse to load the image due to an
Content Security Policy directive: "img-src 'self'
. I think it required to change the value img-src to load images from other domain but I'm not sure.Documentation : https://lycheeorg.github.io/docs/settings.html#landing_background
Stackoverflow : https://stackoverflow.com/questions/40360109/content-security-policy-img-src-self-data
Important information, the app run under gallery.mydomain.ch and the background image I'm trying to load is under static.mydomain.ch.
I took the liberty to change the domain in the config below.
I hope it's a real issue and it can help to improve the app how is great by the way.
Best regards
Claude
The text was updated successfully, but these errors were encountered: