Webserver Content-Security-Policy breaks scripts

Hey all,

In going to install SuiteCRM in my environment, I was looking at an older thread about securing the website Howto secure SuiteCRM installation and how that breaks the login page.

Well, it seems to keep doing it:

This is because I followed the SugarCRM install docs: https://support.sugarcrm.com/Documentation/Sugar_Developer/Sugar_Developer_Guide_11.0/Security/Web_Server_Configuration/#CSP_header

So, in the .htaccess file (within the docker image) I added the following line:

Header always set Content-Security-Policy "default-src 'self'; script-src 'self'"

That resulted in the break above. However, there is a way to salvage it. Per the error, you can add a param to both the default-src and script-src sections: unsafe-inline.

Per stack overflow:

The unsafe-inline option is to be used when moving or rewriting inline code in your current site is not an immediate option but you still want to use CSP to control other aspects (such as object-src, preventing injection of third-party js etc.). You are correct in that unsafe-inline does not offer much security as it allows execution of unsafe in-page scripts and event handlers.

stackoverflow. com/questions/40144915/what-does-csp-protect-us-if-allowing-unsafe-inline

So I am now able to modify the line like so in the docker image to look like this:

Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'" 

I hope this helps someone else avoid the 3-5hrs of googling this took to fully figure out.


Awesome stuff @andrewcz! BTW welcome to the community :+1: