Hey all,
In going to install SuiteCRM in my environment, I was looking at an older thread about securing the website Howto secure SuiteCRM installation and how that breaks the login page.
Well, it seems to keep doing it:
This is because I followed the SugarCRM install docs: https://support.sugarcrm.com/Documentation/Sugar_Developer/Sugar_Developer_Guide_11.0/Security/Web_Server_Configuration/#CSP_header
So, in the .htaccess file (within the docker image) I added the following line:
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'"
That resulted in the break above. However, there is a way to salvage it. Per the error, you can add a param to both the default-src
and script-src
sections: unsafe-inline
.
Per stack overflow:
The
unsafe-inline
option is to be used when moving or rewriting inline code in your current site is not an immediate option but you still want to use CSP to control other aspects (such as object-src, preventing injection of third-party js etc.). You are correct in thatunsafe-inline
does not offer much security as it allows execution of unsafe in-page scripts and event handlers.stackoverflow. com/questions/40144915/what-does-csp-protect-us-if-allowing-unsafe-inline
So I am now able to modify the line like so in the docker image to look like this:
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'"
I hope this helps someone else avoid the 3-5hrs of googling this took to fully figure out.