In going to install SuiteCRM in my environment, I was looking at an older thread about securing the website Howto secure SuiteCRM installation and how that breaks the login page.
Well, it seems to keep doing it:
This is because I followed the SugarCRM install docs: https://support.sugarcrm.com/Documentation/Sugar_Developer/Sugar_Developer_Guide_11.0/Security/Web_Server_Configuration/#CSP_header
So, in the .htaccess file (within the docker image) I added the following line:
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'"
That resulted in the break above. However, there is a way to salvage it. Per the error, you can add a param to both the
Per stack overflow:
unsafe-inlineoption is to be used when moving or rewriting inline code in your current site is not an immediate option but you still want to use CSP to control other aspects (such as object-src, preventing injection of third-party js etc.). You are correct in that
unsafe-inlinedoes not offer much security as it allows execution of unsafe in-page scripts and event handlers.
So I am now able to modify the line like so in the docker image to look like this:
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'"
I hope this helps someone else avoid the 3-5hrs of googling this took to fully figure out.