Refused to load Dropbox script: dropbox.com/static/api/1/dropins.js

Question

Refused to load Dropbox script: dropbox.com/static/api/1/dropins.js

rdswd opened this issue 6 years ago · 4 comments

Detailed description of the problem

Lychee 3.2.16. After adding Dropbox key, and clicking "Import from Dropbox". There is the following error in console and nothing is synched from the DB app folder: "main.js:3348 Refused to load the script 'https://www.dropbox.com/static/api/1/dropins.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback."

Steps to reproduce the issue

Installed Lychee. Created DB app. Added images to app. Added app key to Lychee. Clicked Import from Dropbox

Output of the diagnostics (Settings => Diagnostics)

Diagnostics

Warning: You may experience problems when uploading a large amount of photos. Take a look in the FAQ for details.
No critical problems found. Lychee should work without problems!

System Information

Lychee Version (json): 3.2.13
Lychee Version (git): 4140c02 (master)
DB Version: update_030216
System: Linux
PHP Version: 7.3
MySQL Version: 50727
Imagick: 1
Imagick Active: 1
Imagick Version: 1687
GD Version: bundled (2.1.0 compatible)
Plugins:

Config Information

checkForUpdates: 1
default_license: none
deleteImported: 1
full_photo: 1
hide_version_number: 1
image_overlay: 0
image_overlay_type: exif
imagick: 1
lang: en
layout: 0
medium_max_height: 1080
medium_max_width: 1920
php_script_limit: 0
public_search: 0
skipDuplicates: 0
small_max_height: 360
small_max_width: 0
sortingAlbums: ORDER BY id DESC
sortingPhotos: ORDER BY id DESC
useExiftool: 0
version: update_030216

Browser and system

Chrome (Version 76.0.3809.132) on MacOs 10.14.6

Answer 1 · 2019-10-01T21:14:23.000Z

Fixed. In case others have a similar issue. It had failed when I change the Content Security Policy in the index.html. However, changing the .htaccess file in the Lychee root to: Header set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.dropbox.com; connect-src 'self' https://lycheeorg.github.io; form-action 'none'; base-uri 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content;" solved the issue.
Could we add the Content-Security-Policy changes to https://github.com/LycheeOrg/Lychee#dropbox-import for future reference? Specifically, to add https://www.dropbox.com to the script-src declaration in the .htaccess file in the Lychee root directory.

Answer 2 · 2019-10-01T23:20:44.000Z

If you edit https://github.com/LycheeOrg/Lychee/blob/master/.htaccess#L30 and you make a PR we will happily merge it. :)

Answer 3 · 2019-10-02T04:54:34.000Z

If you edit https://github.com/LycheeOrg/Lychee/blob/master/.htaccess#L30 and you make a PR we will happily merge it. :)

Or https://github.com/LycheeOrg/Lychee/blob/master/README.md

Answer 4 · 2019-10-09T15:01:59.000Z

Was trying a new Github app; totally accidentally closed issue. Sry!