Webtorrent with Plone 5?

We're trying to get Webtorrent to work with Pone 5.
We already modified permissions for HTML filtering and the like, so that other javascript, embedded videos, etc. work fine.
But it appears there is some further tweaking necessary to get Webtorrent to be allowed to run.
We are getting the following error from the embedded code:
[Report Only] Refused to load the script 'https://cdn.jsdelivr.net/webtorrent/latest/webtorrent.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval'".

Here is most of the code: http://pastebin.com/8gNwy3eH

Any ideas what else we need to tweak to allow it to run?

Ah nevermind, it is probably this issue: "The Content Security Policy (CSP) is a powerful mechanism to prevent Cross Site Scripting (XSS) attacks on web sites which accounts for the majority of all security vulnerabilities.

But CSP is off to a slow start and is not implemented on the vast majority of web sites. Perhaps the difficulty implementing CSP is to blame?" - https://embedthis.com/blog/posts/content-security-policy/

Turns out they were trying to run the script bundle from another server/domain.

Pointed him to: https://www.nathanvangheem.com/news/updating-javascript-for-plone-5
Hopefully that solves it?

I'm pretty sure an error like that is due to your own proxy server's defined security policies. Plone does not OOTB, define any security policies for loading scripts.

The current policy you seem to have in place is safe but sounds like it's too restrictive for your use-case.

You can try placing that file in your theme/site and loading from there or checking your configuration. If you share your domain, someone here can tell you what header is causing it.


There's a bunch of them :slight_smile:

  • style-src
  • script-src
  • font-src
  • media-src

Ignore temptation to change default-src ...

Yes, you're setting Content-Security-Policy-Report-Only:default-src 'self'; img-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' on your proxy server.

It's report only so I'm pretty sure that shouldn't affect your code.

I don't see any other error related to javascript or webtorrent.

1 Like

Okay. It was Nginx getting in the way. I've been running on Apache for so long, and only recently been running into actually using Nginx, so didn't know its quirks.
We'll try setting up webtorrent again later this week, and see if it works with the changes.