Webtorrent with Plone 5?

merpdotcom · January 10, 2017, 3:12am

We're trying to get Webtorrent to work with Pone 5.
We already modified permissions for HTML filtering and the like, so that other javascript, embedded videos, etc. work fine.
But it appears there is some further tweaking necessary to get Webtorrent to be allowed to run.
We are getting the following error from the embedded code:
[Report Only] Refused to load the script 'https://cdn.jsdelivr.net/webtorrent/latest/webtorrent.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval'".

Here is most of the code: http://pastebin.com/8gNwy3eH

Any ideas what else we need to tweak to allow it to run?
Thanks!

merpdotcom · January 10, 2017, 3:36am

Ah nevermind, it is probably this issue: "The Content Security Policy (CSP) is a powerful mechanism to prevent Cross Site Scripting (XSS) attacks on web sites which accounts for the majority of all security vulnerabilities.

But CSP is off to a slow start and is not implemented on the vast majority of web sites. Perhaps the difficulty implementing CSP is to blame?" - https://embedthis.com/blog/posts/content-security-policy/

Turns out they were trying to run the script bundle from another server/domain.

Pointed him to: https://www.nathanvangheem.com/news/updating-javascript-for-plone-5
Hopefully that solves it?

vangheem · January 10, 2017, 4:16am

I'm pretty sure an error like that is due to your own proxy server's defined security policies. Plone does not OOTB, define any security policies for loading scripts.

The current policy you seem to have in place is safe but sounds like it's too restrictive for your use-case.

You can try placing that file in your theme/site and loading from there or checking your configuration. If you share your domain, someone here can tell you what header is causing it.

merpdotcom · January 10, 2017, 4:59am

http://cms.merp.com
Thanks!

tkimnguyen · January 10, 2017, 1:45pm

There's a bunch of them

style-src
script-src
font-src
media-src

Ignore temptation to change default-src ...

vangheem · January 10, 2017, 2:25pm

Yes, you're setting Content-Security-Policy-Report-Only:default-src 'self'; img-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' on your proxy server.

It's report only so I'm pretty sure that shouldn't affect your code.

I don't see any other error related to javascript or webtorrent.

merpdotcom · January 16, 2017, 8:05am

Okay. It was Nginx getting in the way. I've been running on Apache for so long, and only recently been running into actually using Nginx, so didn't know its quirks.
We'll try setting up webtorrent again later this week, and see if it works with the changes.
Thanks!