TomDoesTech/GOTTH

CSP error in firefox when loading style.css

Saljooq opened this issue · 3 comments

Saljooq commented

I am not sure why but I keep getting CSP error when I see the network requests on firefox. It just bugged me. No issues on chrome - also even in firefox you can see all the graphics loading correctly - so it might be a false red flag i.e. some bug in firefox

Screenshot_20240305_125920

andykillen commented

Hey @Saljooq, I see this also. It looks worse for me, like a dozen or more. I double checked the hash was good, and that the nonces matched, and they do.

I wanted to work on something else which caused me to put GOTTH behind an apache proxy so that I could also access some php stuff on the same domain when my app is in action. This solved the problem on all browsers. Basically in a Production state, behind a proxy its works.

The choice for development to remove that problem all together is to not include the hash in the content-security-policy. Its the last %s and last item (htmxCSSHash) in the cspHeader := fmt.Sprintf() that does that bit in /internals/middlewear/middlewear.go

TL;DR
remove the Hash while in dev, or put it behind a proxy.

andykillen commented

for completeness, here's the way I got it to work so it would exclude /static/ for being served by GO but to be served by the Web Server. This is what I mean with Apache

Here is the full virtual host as a gist

Here is the important part, this just needs to sit directly inside the VirtualHost

# things not to proxy must be first, these are served by the web server
# then GOTTH will get the rest, what-erver path is not excluded is routed to go.
#
# I have a sub-directory install WordPress, with and without slash needed
# I also serve css, js and images via the web server. 
ProxyPass /wp !
ProxyPass /wp/ !
ProxyPass /static/ !

ProxyPass / http://localhost:8080/
ProxyPassMatch ^/ http://localhost:8080/(.*)
ProxyPassReverse / http://localhost:8080/

I also makes a symbolic link from the go code location static directory to the static directory in the webroot. This will work when performing it in the webroot

ln -s /path/to/go/app/GOTTH/static staitc
Saljooq commented

Thanks for the response. That makes sense - I also removed the hash and it should work for me. I appreciate the alternative solution for production, I might use it some day. Feel free to close this issue