Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#10617] - Install may not start because of Content-Security-Policy header, but Pre-Installation Check does not notice this

?
avatar hagman
hagman
24 May 2016

Steps to reproduce the issue

  1. Prepare a web server to issue Content-Security-Headers that do not allow "unsafe-eval", e.g., with Apache, add header set Content-Security-Policy "default-src 'self' 'unsafe-inline'" to the VirtualHost configuration
  2. Download and unpack Joomla to the web server
  3. Visit your Joomla web server and follow the first-run installation tasks

Expected result

Installation starts once all conditions of the "Pre-Installation Checks" are met.
If there still is a problem, a helpful message should be displayed

Actual result

A popup "Process in progress. Please wait ..." comes up. Nothing else happens

System information (as much as possible)

Should not matter; tested with Ubuntu 12.04, Apache, Joomla 3.5.1

Additional comments

An additional Pre-Installation Check for good-enough Content-Security-Policy should be added.
It might simply be an additional line in the Pre-Installation Check table that shows a red "NO", which is changed into a green "YES" by some Javascript that relies on unsafe-inline and unsafe-eval to be present.
See also http://joomla.stackexchange.com/questions/16635/joomla-install-does-not-start

avatar hagman hagman - open - 24 May 2016
avatar andrepereiradasilva
andrepereiradasilva - comment - 24 May 2016

That i know of joomla, as a whole, doesn't work without 'self' 'unsafe-eval' 'unsafe-inline' in the js CSP rules (script-src). And also you need 'self' 'unsafe-inline' for the CSS rules (style-src).

So if you are just using the default CSP fallback (default-src) the 'self' 'unsafe-eval' 'unsafe-inline' is always needed for joomla to work.

But agree a js check could exist in installation and admin sys info.

Note: don't know exactly why unsafe-eval is needed, but the unsafe-inline is needed for all the inline scripts/styles Joomla uses.

avatar brianteeman brianteeman - change - 24 May 2016
Category Installation
avatar brianteeman brianteeman - change - 24 May 2016
Labels Added: ?
avatar brianteeman
brianteeman - comment - 3 Aug 2016

Sorry but this is not something that can be changed

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10617.

avatar brianteeman brianteeman - change - 3 Aug 2016
Status New Closed
Closed_Date 0000-00-00 00:00:00 2016-08-03 10:32:55
Closed_By brianteeman
avatar brianteeman brianteeman - close - 3 Aug 2016

Add a Comment

Login with GitHub to post a comment