-
-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v4]Content Security Policy issue of plugin-upload in strapi-4.0.0-beta.13 #11637
Comments
@boeto The internal middleware config change is not documented but I found out you can change default CSP settings middleware in config/middlewares.js like this: module.exports = ({ env }) => [
'strapi::errors',
{
name: 'strapi::security',
config: {
contentSecurityPolicy: {
directives: {
'script-src': ["'self'", "'unsafe-inline'", 'cdn.jsdelivr.net'],
'img-src': ["'self'", 'data:', 'cdn.jsdelivr.net', 'strapi.io', `${env('AWS_BUCKET')}.s3.${env('AWS_REGION')}.amazonaws.com`],
},
}
},
},
'strapi::cors',
'strapi::poweredBy',
'strapi::logger',
'strapi::query',
'strapi::body',
'strapi::favicon',
'strapi::public',
]; |
Provider examples will have an example config to show how to properly modify this. Closing as it's not a bug |
This issue has been mentioned on Strapi Community Forum. There might be relevant details there: https://forum.strapi.io/t/strapi-v4-broken-image-even-when-the-images-link-works-cloudinary/14143/4 |
This issue has been mentioned on Strapi Community Forum. There might be relevant details there: |
Doesn't work for me for video assets. It's ok for image type.
any idea ? |
This issue has been mentioned on Strapi Community Forum. There might be relevant details there: https://forum.strapi.io/t/using-supabase-for-the-postgres-database/16762/2 |
Here is the configuration that worked for me, I spent 12 hours without finding a solution. By removing the AWS_REGION, everything worked like a charm.
|
This only applies to us-east1 as all other AWS region S3 buckets NEED the region |
For people wondering how to do the same with cloudinary :
|
And how to get other images inside Admin Panel to work? Right now only images from Clouidnary will be loaded, any other don't. EDIT: for someone, who also look for a solution: ...
"img-src": [
"'self'",
"data:",
"blob:",
"res.cloudinary.com", // cloudinary images
"lh3.googleusercontent.com", // google avatars
"platform-lookaside.fbsbx.com", // facebook avatars
"dl.airtable.com", // strapi marketplace
],
... |
cant get it to work with scaleway. anyone did it??
im getting this error in the console: Refused to load the image 'https://bucket-name.s3.region.scw.cloud/thumbnail_logo_unir_e85e2ed42b.png?width=533&height=112' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://dl.airtable.com". EDIT: FIXED, i had strapi::security duplicated at the end of the file, so it was being overwritten by the default one. |
I'm trying to make a upload on a Strapi project with a provider (default config, I guess). But al get it response is With a Status Code 301 But the request url was https://my-url/upload |
Wow thank you, I spent full day but can't fix, so lucky when I see your answer |
Ah man you saved me hours. 'strapi::security', was already in the middlewares file when I added the 'strapi::security' code above it so it got cancelled out, and I never noticed until I read your update. |
One thing that should be made very clear by people looking here is that CORS errors and Content Security Policy are NOT the same thing. Those are different headers entirely. It is possibly that a Content Security Policy directive may introduce a CORS error by way of something being blocked, however, if you don't have any errors about specific items that were blocked because of specific Content Security Policies directives then that most likely means it's not a CSP(Content Security Policy) issue. |
I'm having exact same issue with Cloudflare R2 provider (https://www.npmjs.com/package/strapi-provider-upload-cloudflare-r2), with this error message: Funny enough, when I remove |
in this guide https://strapi.io/blog/how-to-set-up-amazon-s3-upload-provider-plugin-for-our-strapi-appoficial they keeps the REGION which is what causes the problem. :/ |
In my case I had a sub directory on STORAGE_URL "/uploads" for both middleware.ts and plugins.ts so I just had to remove that on .env and everything was fine |
Based on Strapi docs I put This is my working
In S3 bucket config I had to make my bucket public. I think the Strapi - Amazon AWS - Create the bucket doc is wrong because the bucket must be public, contrary to what the documentation says. Based on S3 User guide I added a
After configuration, you should check the images directly in a browser with the S3 Object URL. If everything went well, you can see the picture uploaded by Strapi. If the configuration failed and an error message is displayed, the Bucket is probably still not public. Important! Screenshots of my S3 Bucket config Another beautiful day has passed to find this bug :) |
Damn, that was my mistake, too, you saved me ! |
Is there any same fix for the plugin "strapi-uploader-provider-do" because i am getting the same error |
This issue has been mentioned on Strapi Community Forum. There might be relevant details there: https://forum.strapi.io/t/content-security-policy-on-shared-hosting-with-two-nodejs-aps/29654/4 |
If anyone has issues with the images of Strapi's Marketplace, add "market-assets.strapi.io" to the img-src and media-src directives, like this: export default [
'strapi::errors',
'strapi::security',
'strapi::cors',
'strapi::poweredBy',
'strapi::logger',
'strapi::query',
'strapi::body',
'strapi::session',
'strapi::favicon',
'strapi::public',
{
name: "strapi::security",
config: {
contentSecurityPolicy: {
useDefaults: true,
directives: {
"connect-src": ["'self'", "https:"],
"img-src": [
"'self'",
"data:",
"blob:",
`https://${process.env.AWS_BUCKET}.s3.amazonaws.com`,
"dl.airtable.com",
"market-assets.strapi.io"
],
"media-src": [
"'self'",
"data:",
"blob:",
`https://${process.env.AWS_BUCKET}.s3.amazonaws.com`,
"dl.airtable.com",
"market-assets.strapi.io"
],
upgradeInsecureRequests: null,
},
},
},
},
]; |
For god's sake thank you, you're awesome! |
I'm stuck here too. Did you solve it ? |
How I can change this behaviour? On my local machine everything is ok with this text reach block. |
I haven't been able to fix it and don't know what to do.
This is my config/middlewares.js
I tried adding a wildcard like '/*' in the S3 URL but it doesn't work the only thing that has shown to work is to directly place the entire URL in the "img-src" array but that's obviously wrong. Please, somebody help me, I've stuck here for days, it's the exact same start on both URLs and the wildcard seems to not be working, I'm so frustrated. I'm running strapi 4.25.2 |
@H3lltronik have you ever fix this issue? |
Thanks ,it works for me. |
Bug report
Describe the bug
[v4]Content Security Policy issue of plugin-upload in strapi-4.0.0-beta.13
Steps to reproduce the behavior
Install and change the upload provider to aws-s3
Upload an image and get the issue
Expected behavior
Should be able to see the picture. The same setting runs correctly in v3.
Screenshots
Code snippets
System
Additional context
null
The text was updated successfully, but these errors were encountered: