dashing-peacock upgrade: dark is all dark

[gerwitz]

Doing a normal upgrade on my Akkoma instance to dashing-peacock (from wrestling-red-panda) resulted in dark mode rendering dark text on a dark background on most content, except the posts feed of an individual profile.

[gerwitz]

This is only partially visible when not logged-in: https://social.gerwitz.com/

[Cl0v1s]

Hi !

What is your new version of Akkoma ?
Their new stricter Content-policy prevent third party frontend from retrieving instance configuration. Do you see something related to CSP in your browser logs ?

EDIT: yup, it's that

[Cl0v1s]

The solution is to override the Content-policy header in your nginx/apache configuration, to allow style-src :)

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

[crisukbot]

or, if you're lazy or don't want to bother with it, you can roll back the security policy update and everything will work.

https://akkoma.dev/AkkomaGang/akkoma/commit/336d06b2a8ca75362578b1d67ea1f32a45c8edd3

[Cl0v1s]

If you choose the solution to edit your reverse proxy Content-Policy header, i'm interested in your solution, so I can add it to the Readme on here :)

[crisukbot]

If you choose the solution to edit your reverse proxy Content-Policy header, i'm interested in your solution, so I can add it to the Readme on here :)

I still haven't found the time to set up the content-policy, so I'm still using the solution I wrote before this.)

[AdrianPaulCarrieres]

I've never done this kind of stuff with nginx but so far my solution is to 1) hide the Content-Security-Policy header, 2) set it again with the copy pasted original header with a change in the style-src part:

    # add style-src for mangane
    proxy_hide_header Content-Security-Policy;
    add_header Content-Security-Policy "upgrade-insecure-requests;style-src 'self' 'unsafe-inline';font-src 'self';script-src 'self' 'nonce-LbVARBmXD6txCer';connect-src 'self' https://example.com wss://example.com;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self';";

The change by itself is
style-src: 'self' 'nounce-xxxxxxxx';
becomes
style-src: 'self' 'unsafe-unline;'

[muppeth]

Shouldn't akkoma permit mangane to work out ocf the box? Perhaps good to check with the main devs there @Cl0v1s
It would make things much easier. I will try to update csp for now as for people running OTP version rolling back isnt possible.

[Cl0v1s]

Since they unilateraly changed this security setting, and do not seem to have any interest in supporting a frontend beside their own, I think we could just instead clearly explain how to override CSP in Mangane's documentation.

I'll try to propose something based on @AdrianPaulCarrieres's answer :)

[muppeth]

Is there any link where akkoma devs stste such thing? I think since they now work on feature that allows frontend switch, they are more open to others 6 May 2023 18:37:32 Clovis ***@***.***>:

…

Since they unilateraly changed this security setting, and do not seem to have any interest in supporting a frontend beside their own, I think we could just instead clearly explain how to override CSP in Mangane's documentation. I'll try to propose something based on @AdrianPaulCarrieres[https://github.com/AdrianPaulCarrieres]'s answer :) — Reply to this email directly, view it on GitHub[#202 (comment)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/ACAWQPX6IABGMIEWM5R3CSTXEZ44TANCNFSM6AAAAAAXA3PGSY]. You are receiving this because you commented.[Tracking image][https://github.com/notifications/beacon/ACAWQPVA3GMZFS4OWGDBYPTXEZ44TA5CNFSM6AAAAAAXA3PGS2WGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTS3T54YA.gif]

[Cl0v1s]

I read that on some comments to a open issue in the Akkoma repo, but you're right, maybe their position changed since then !

[Cl0v1s]

Readme updated

[mmai]

Hi @Cl0v1s there is a typo on the Readme : you wrote proxy_hide_header Content-Security-Policy: with a ':' instead of proxy_hide_header Content-Security-Policy; with a ';'

[Cl0v1s]

Thanks, I fixed that !

[sadorowo]

I've never done this kind of stuff with nginx but so far my solution is to 1) hide the Content-Security-Policy header, 2) set it again with the copy pasted original header with a change in the style-src part:

    # add style-src for mangane
    proxy_hide_header Content-Security-Policy;
    add_header Content-Security-Policy "upgrade-insecure-requests;style-src 'self' 'unsafe-inline';font-src 'self';script-src 'self' 'nonce-LbVARBmXD6txCer';connect-src 'self' https://example.com wss://example.com;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self';";

The change by itself is style-src: 'self' 'nounce-xxxxxxxx'; becomes style-src: 'self' 'unsafe-unline;'

I used your method, the only difference is that I'm using Caddy instead of Nginx.
Unfortunately, header isn't returned with the response - and issue persists

My Caddyfile rule:

social.sador.me {
    log {
        output file /var/log/caddy/akkoma.log 
    }

    encode gzip
    reverse_proxy akkoma:4000

    header {
        Content-Security-Policy "upgrade-insecure-requests; script-src 'self'; connect-src 'self' blob: https://social.sador.me wss://social.sador.me; media-src 'self' https:; img-src 'self' data: blob: https:; default-src 'none'; base-uri 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; font-src
'self'; manifest-src 'self';"
    }
}