NginxProxyManager; Reverse Proxy with Let's Encrypt for Oxicloud; Question About Behavior

[roswitina]

Windows 11 Enterprise, Firefox 152.0.2 64bit
To test access to Oxicloud on the LAN, I added the following to the .env file:

OXICLOUD_COOKIE_SECURE=false

With this setting, access from the LAN via ip:port works

When I access Oxicloud via HTTPS using NginxProxyManager with these settings, it also works.

However, if I delete

OXICLOUD_COOKIE_SECURE=false

in the .env file, I can no longer access Oxicloud via HTTPS.

I uploaded the console logs to Gemini. Here is the explanation I received:

The OxiCloud Rust backend (or the Svelte frontend) returns an HTTP header called Content-Security-Policy (CSP). This is set very restrictively to ‘self’. This means: The browser is only allowed to execute scripts located in external .js files.

However, during loading (hydration), SvelteKit embeds two small inline scripts directly into the HTML page (lines 61 and 120 in your log) to pass data to the frontend. Since these are embedded in the HTML code, the browser strictly blocks them. The result: The Svelte app “crashes” during loading and remains blank or fails to connect.

If I enter the following in the Advanced settings from GEMINI in NPM, it works:

# Removes the original CSP header from OxiCloud, if present
proxy_hide_header Content-Security-Policy;

# Sets a new one that allows inline scripts for Svelte
add_header Content-Security-Policy “default-src ‘self’; script-src ‘self’ 'unsafe-inline'; style-src ‘self’ 'unsafe-inline'; img-src ‘self’ data:; connect-src ‘self’ ws: wss:;” always;

Is this behavior intentional, or do I need to use different settings?