Content Security Policy of your site blocks some resources

[rokfor2000]

Hi All,

I have a bit of an issue I could use some help with. I've spun up a vaultwarden container running behind Nginx. All functionality seems to be OK. I have a valid certs from Let's Encrypt, but I am still getting a "Not secure" warning in Chrome. Looking into "Privacy and Security" of developers tools shows:

Content Security Policy of your site blocks some resources
Some resources are blocked because their origin is not listed in your site's Content Security Policy (CSP). Your site's CSP is allowlist-based, so resources must be listed in the allowlist in order to be accessed.

A site's Content Security Policy is set either via an HTTP header (recommended), or via a meta HTML tag.

To fix this issue do one of the following:

(Recommended) If you're using an allowlist for 'script-src', consider switching from an allowlist CSP to a strict CSP, because strict CSPs are more robust against XSS. See how to set a strict CSP.
Or carefully check that all of the blocked resources are trustworthy; if they are, include their sources in the CSP of your site. ⚠️Never add a source you don't trust to your site's CSP. If you don't trust the source, consider hosting resources on your own site instead.
3 directives
Resource Status Directive Source location
https://fonts.gstatic.com/s/lato/v25/S6uyw4BMUTPHjxAwXjeu.woff2 blocked font-src /#/login:0
https://fonts.gstatic.com/s/lato/v25/S6uyw4BMUTPHjx4wXg.woff2 blocked font-src /#/login:0
https://fonts.googleapis.com/css?family=Lato blocked style-src-elem /#/login:0
Learn more: Content Security Policy - Source Allowlists

Does anyone have any ideas what might be causing it? How to fix it? I looked for gstatic, And all CSP topics seem to point to a general flagging of the website by google.

[kpfleming]

I have a bit of an issue I could use some help with. I've spun up a vaultwarden container running behind Nginx. All functionality seems to be OK. I have a valid certs from Let's Encrypt, but I am still getting a "Not secure" warning in Chrome

Which functionality is 'OK' with a "not secure" warning in Chrome?

In any case, this is usually caused by an overly aggressive reverse proxy configuration, which modifies/adds/removes the CSP headers. As demonstrated in the Vaultwarden wiki, the NGINX configuration must not modify these headers at all, since Vaultwarden will handle them itself. Can you post the relevant portions of your NGINX configuration?

[rokfor2000]

What I meant with "Which functionality is 'OK'" is that it works, has a valid cert, syncs with my mobile and DIagnostics admin page is green, top to bottom.

Here's my Nginx.config. I run it in a docker:

    server {
        listen 80;
        listen [::]:80;
        server_name vaulttest1234.duckdns.org;

        location / {
            return 301 https://$host$request_uri;
        }
    }

    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name https://vaulttest1234.duckdns.org;

        ssl_certificate /etc/nginx/ssl/vaulttest1234.duckdns.org/vaulttest1234.duckdns.org.crt;
        ssl_certificate_key /etc/nginx/ssl/vaulttest1234.duckdns.org/vaulttest1234.duckdns.org.key;

        location / {
            proxy_pass http://127.0.0.1:8000;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            # Add these headers for WebSocket support
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    }

[BlackDex]

I'm not really understanding what the issue is here. Are there items which are not working? Since those resources shouldn't be part of the web-vault. There are a few fonts, but those are local in the web-vault. No CDN is used at all.

It might be an extension? Or something else in-between?

[rokfor2000]

It turns out it was Google flagging my site. I didn't get the usual red "unsafe website" warning, only the flag in the address bar, so initially I was thinking it was an issue with the certs and that connection was dropping to http. When I investigated I found the warning from my 1st post. Was very misleading. I only clicked it was Google, when my son tried logging and got the "Dangerous site" warning. I've submitted for a review and it's all good now.

Thanks!