Top Menu

Jump to content
Home
    • Projects
    • Work packages
    • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.

    • Help and support
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Professional support

    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?
      Create a new account

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
  • Roadmap
  • Work packages
  • Calendars
  • Team planners
  • Boards
  • Forums
  • Wiki
    • Table of contents
      • Expanded. Click to collapseCollapsed. Click to showDeveloper
        • Hierarchy leafAccessibility Checklist
        • Hierarchy leafCode Review Guidelines
        • Expanded. Click to collapseCollapsed. Click to showContribution
          • Hierarchy leafGit Workflow
          • Hierarchy leafTranslations
        • Expanded. Click to collapseCollapsed. Click to showDeveloping Plugins
          • Hierarchy leafDeveloping an OmniAuth Authentication Plugin
        • Hierarchy leafRelease Process
        • Hierarchy leafReport a bug
        • Hierarchy leafSecurity
        • Hierarchy leafSetting up an OpenLDAP server for testing
        • Hierarchy leafTheme Features
      • Hierarchy leafDownload
      • Expanded. Click to collapseCollapsed. Click to showFeature tour
        • Hierarchy leafRelease Notes OpenProject 30
        • Expanded. Click to collapseCollapsed. Click to showRelease Notes OpenProject 30 - Overview
          • Hierarchy leafGlossary
          • Hierarchy leafRelease Notes - Accessibility
          • Hierarchy leafRelease Notes - Accessibility changes
          • Hierarchy leafRelease Notes - Add work package queries as menu items to sidebar
          • Hierarchy leafRelease Notes - Copy projects based on Templates
          • Hierarchy leafRelease Notes - Design changes
          • Hierarchy leafRelease Notes - Fixed Bugs
          • Hierarchy leafRelease Notes - Keyboard Shortcuts
          • Hierarchy leafRelease Notes - Project settings
          • Hierarchy leafRelease Notes - Ruby&Rails Update
          • Hierarchy leafRelease Notes - Security
          • Hierarchy leafRelease Notes - Timelines
          • Hierarchy leafRelease Notes - Work packages
      • Hierarchy leafHowto create animated gifs
      • Hierarchy leafMigration Squashing
      • Hierarchy leafMod security
      • Hierarchy leafNew work package page
      • Hierarchy leafOP3 to OP4 Debian upgrade
      • Hierarchy leafOP4 Ubuntu1404 Stable with MySQL in production
      • Hierarchy leafOpenProject 40 Development Setup
      • Expanded. Click to collapseCollapsed. Click to showOpenProject Foundation
        • Hierarchy leafBoards
        • Hierarchy leafMembers
        • Hierarchy leafOPF-Meetings
        • Hierarchy leafStatutes
      • Expanded. Click to collapseCollapsed. Click to showRelease Notes
        • Hierarchy leafOpenProject released on Bitnami
      • Expanded. Click to collapseCollapsed. Click to showRelease Notes OpenProject 40 - Overview
        • Hierarchy leafRelease Notes OpenProject 40 - Accessibility improvements
        • Hierarchy leafRelease Notes OpenProject 40 - Column header functions in work package table
        • Hierarchy leafRelease Notes OpenProject 40 - Improved Design
        • Hierarchy leafRelease Notes OpenProject 40 - Integrated query title on work package page
        • Hierarchy leafRelease Notes OpenProject 40 - Integrated toolbar on work package page
        • Hierarchy leafRelease Notes OpenProject 40 - OmniAuth integration for OpenProject
        • Hierarchy leafRelease Notes OpenProject 40 - Work package details pane
      • Expanded. Click to collapseCollapsed. Click to showSecurity and privacy
        • Hierarchy leafFAQ
      • Expanded. Click to collapseCollapsed. Click to showSupport
        • Expanded. Click to collapseCollapsed. Click to showDownload and Installation
          • Hierarchy leafInstallation MacOS
          • Expanded. Click to collapseCollapsed. Click to showInstallation OpenProject 3 0
            • Hierarchy leafDebian Stable with MySQL in production
            • Hierarchy leafInstallation Ubuntu
            • Hierarchy leafInstallation Windows
            • Hierarchy leafInstallation on Centos 65 x64 with Apache and PostgreSQL 93
          • Expanded. Click to collapseCollapsed. Click to showInstallation OpenProject 40
            • Hierarchy leafOP4 Debian Stable with MySQL in production
          • Expanded. Click to collapseCollapsed. Click to showMigration paths
            • Hierarchy leafFrom Chilliproject to OpenProject
            • Hierarchy leafMigration 15 to 30
            • Hierarchy leafMigration 24 to 30
            • Hierarchy leafMigration Redmine 2x › OpenProject 30
            • Hierarchy leafOpenProject 3 Migration
          • Hierarchy leafOpenProject 40
        • Expanded. Click to collapseCollapsed. Click to showNews
          • Hierarchy leafNew OpenProject Translations Plugin
          • Hierarchy leafNew Plugin on OpenProjectorg Local Avatars
          • Hierarchy leafNew design for OpenProject
          • Hierarchy leafNews Accessibility workshop for OpenProject
          • Hierarchy leafNews Glossary for OpenProject
          • Hierarchy leafNews Heartbleed fixed
          • Hierarchy leafNews Icon Fonts
          • Hierarchy leafNews OpenProject 30 Release
          • Hierarchy leafNews Release GitHub Integration Plugin
          • Hierarchy leafNews Success Story Deutsche Telekom
          • Hierarchy leafNews Timelines
          • Hierarchy leafOpenProject 3013 released
          • Hierarchy leafOpenProject 3017 released
          • Hierarchy leafOpenProject 40 released
          • Hierarchy leafOpenProject 40 will be coming soon
          • Hierarchy leafOpenProject 405 released
          • Hierarchy leafOpenProject and pkgrio
          • Hierarchy leafOpenProject news moved to a new blog
          • Hierarchy leafOpenProjectBitnami
          • Hierarchy leafPackager version with plugins released ("Community edition")
          • Hierarchy leafRegistration OpenProject-Foundation
          • Hierarchy leafRelease OpenProject AuthPlugins
          • Hierarchy leafUpdates on OpenProject
          • Hierarchy leafWe need your feedback for the the new fullscreen view for work packages
        • Hierarchy leafOpenProject Plug-Ins
      • Hierarchy leafWiki
You are here:
  • Forums
  • General discussion

Content

Problem with "Content Security Policy" directive

Added by Federico Rodriguez over 4 years ago

When i save a change in the site, in javascript appears console this error:

Refused to send form data to 'http://openproject.mydomain/' because it violates the following Content Security Policy directive: "form-action 'self'".

How can I solve it?


Replies (12)

RE: Problem with "Content Security Policy" directive - Added by Federico Rodriguez over 4 years ago

My openproject-le-ssl.conf file:

 
 
 ServerName xxxxxxxxxxxxxxxxxxxxxxxxxx
 DocumentRoot /opt/openproject/public 

 ProxyRequests off 

 Include /etc/openproject/addons/apache2/includes/vhost/*.conf 

 # Can't use Location block since it would overshadow all the other proxypass directives on CentOS 
 ProxyPass / http://127.0.0.1:6000/ retry=0 
 ProxyPassReverse / http://127.0.0.1:6000/ 

SetEnv proxy-nokeepalive 1 
RequestHeader set X-Forwarded-Proto "https" 
Header unset X-Frame-Options 
Header merge Cache-Control no-cache 
Header set Access-Control-Allow-Origin “*” 
SSLCertificateFile /etc/letsencrypt/live/trepcom.data.com.uy/fullchain.pem 
SSLCertificateKeyFile /etc/letsencrypt/live/trepcom.data.com.uy/privkey.pem 
Include /etc/letsencrypt/options-ssl-apache.conf 
 

RE: Problem with "Content Security Policy" directive - Added by Juan Gimenez about 4 years ago

Hi, i have the same problem, where you able to solve this ? 

Thanks

RE: RE: Problem with "Content Security Policy" directive - Added by Martin Finkenflügel about 4 years ago

I ran into the same problem.

The solution was to set the correct protocol in your systems settings. Mine was set to http although my nginx config forced OpenProject to use https. Switching the protocol to https instead of http fixed it.

RE: Problem with "Content Security Policy" directive - Added by Oliver Günther about 4 years ago

Thanks Martin for the information. Since the packaged installation would set the protocol automatically only for Apache installations, I can see that with Nginx users tend to run into this problem.

I'll look into documenting this option better in case of skipping Apache installation. In short, when installing with Nginx (or manually embedding in Apache), you will want to set the following variables manually:

openproject config:set SERVER_HOSTNAME=yourdomain.example
openproject config:set SERVER_PROTOCOL=https # when you use TLS or proxy with X-Forwarded-Proto

Best,

Oliver

RE: Problem with "Content Security Policy" directive - Added by Martin Finkenflügel about 4 years ago

Hi Oliver,

No problem!

Wouldn't it be possible to automate this for nginx users as well? Seeing as the example hostname does already suggest the correct hostname.

I'm running the Docker image by the way, on a webserver which has nginx installed.

RE: Problem with "Content Security Policy" directive - Added by Oliver Günther about 4 years ago

Hi Martin,

yes, it is definitely possible to automate that, but would also increase complexity on our packages to support multiple vendors.

Best,

Oliver

RE: Problem with "Content Security Policy" directive - Added by Martin Finkenflügel about 4 years ago

Update:

Problem returned after upgrading. Also adding this line to my nginx configuration (as mentioned here) seems to have solved it: 

proxy_set_header X-Forwarded-Proto $scheme;

RE: Problem with "Content Security Policy" directive - Added by Sascha Nonn almost 4 years ago

I had the same issue, I couldn't login due to the error of not sending form data to http addresses. Finally I solved the problem by altering the database:

mariadb; update settings set value = "https" where value = "http";

Before this, I did the configs, added the proxy header, recompiled the assets afterwards and restarted the server, nothing helped, but this. Good luck everybody.

RE: Problem with "Content Security Policy" directive - Added by Oliver Günther almost 4 years ago

This might be connected to the following bug report: . If wrote it earlier in this thread but if you had configured Apache2 at any earlier time in the installation, your environment config will still contain a reference to SERVER_HOSTNAME . You will want to set this env manually with openproject config:set SERVER_HOSTNAME="https" to ensure it will survive upgrades.

Best,

Oliver

RE: Problem with \"Content Security Policy\" directive - Added by Sascha Nonn almost 4 years ago

Oliver Günther wrote:

This might be connected to the following bug report: . If wrote it earlier in this thread but if you had configured Apache2 at any earlier time in the installation, your environment config will still contain a reference to SERVER_HOSTNAME . You will want to set this env manually with openproject config:set SERVER_HOSTNAME=\"https\" to ensure it will survive upgrades.

I guess you mean SERVER_PROTOCOL?

RE: Problem with "Content Security Policy" directive - Added by Oliver Günther almost 4 years ago

You're right, thanks for spotting. The SERVER_HOSTNAME however is also affected in the same fashion.

RE: Problem with "Content Security Policy" directive - Added by Graham Higgins almost 4 years ago

Hi,

I'm seeing a similar issue. I'm using an evaluation version of the Cloud product. Is there a was to configure this for the Cloud version ?

I'm trying to load the UI into an iframe.

Thanks

Graham

  • (1 - 12/12)
Loading...