Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: Migration issues
colak wrote #327338:
I saw that, but I have no idea what it actually means!
Broadly speaking, your web server is configured to allow access to content based on origin, type and presentation. The thing that controls it is Content Security Policy, aka CSP.
For JavaScript, it’s the script-src policy that’s controlling what your site can do, and it’s falling down on some inline JavaScript. At the moment, you have:
script-src 'self' www.google.com ajax.googleapis.com *.google-analytics.com https://www.google.com https://ajax.googleapis.com https://*.google-analytics.com https://*.twitter.com;…which says JavaScript can be called as files from neme.org, then all the URLs after the fact. JavaScript that’s inline is not permitted with this policy as it stands, though there are solutions:
- spin out the inline JS to a file, or…
- add
'unsafe-inline'to the policy declaration
…then it should work.
Offline
Re: Migration issues
Hi guys,
1. I am having the same issue with the js not loading with some sub-domains. One of them is on respublika.neme.org/seminars/, which I recently updated to the latest txp release. The particular page should have a slide-show on the top. Currently only one slide is loading.
2. Another issue I am having is that I have a font which I am loading for the site_name (Respublika!) but it now only loads on ff.
diagnostics (knowing that I still have to update some plugins and the code-base as the site was designed and maintained before the introduction of short-tags)
Textpattern version: 4.8.4 (b1d8d97c3c8ac6238394682e3c76a8d6)
Last update: 2020-12-09 06:36:12/2020-12-09 06:31:23
Textpattern path: __TXP-ROOT/textpattern
Article URL pattern: section_title
Production status: live
Temporary directory path: /path/to/tmp
PHP version: 7.2.33
GD Graphics Library: bundled (2.1.0 compatible); Supported formats: GIF, JPEG, PNG, WebP.
Server timezone: America/Los_Angeles
Server local time: 2020-12-08 23:15:10
Daylight Saving Time enabled?: 0
Automatically adjust Daylight Saving Time setting?: 0
Time zone (GMT offset in seconds): Asia/Nicosia (+0)
MySQL: 5.7.28-log (Source distribution)
Database server time: 2020-12-08 23:15:10
Database server time offset: 1 s
Database server timezone: SYSTEM
Database session timezone: SYSTEM
Locale: en_GB.UTF-8
Site / Admin language: en-gb / en-gb
Web server: Apache
PHP server API: cgi-fcgi
RFC 2616 headers: 0
Server OS: Linux 3.14.52-vs2.3.6.15-1
Admin-side theme: hive 4.8.4
Active plugins:
act_if_mobile-0.1.2
com_connect-4.6.0-beta
mdn_count-1.4
oui_cookie-1.0.0-beta2
pap_comconnect-0.1.2
pat_speeder-0.7.4
rss_admin_db_manager-4.5.1
rvm_css-1.2
smd_if-1.0.0 (modified)
smd_macro-0.41
smd_user_manager-0.21
smd_where_used-0.2
smd_wrap-0.20
spf_js-0.51
.htaccess file contents:
------------------------
<IfModule mod_headers.c>
Header set Connection keep-alive
Header unset P3P
Header append X-XSS-Protection "1; mode=block"
Header append X-Frame-Options "DENY"
Header append X-Content-Type-Options "nosniff"
Header set Cache-Control "no-transform"
Header append Content-Security-Policy "default-src 'self'; img-src 'self' data: * https://*; style-src 'self' 'unsafe-inline' ajax.googleapis.com platform.twitter.com https://ajax.googleapis.com https://fonts.googleapis.com https://platform.twitter.com; script-src 'self' 'unsafe-inline' www.google.com ajax.googleapis.com *.google-analytics.com https://www.google.com https://ajax.googleapis.com https://*.google-analytics.com https://*.twitter.com; frame-src *.youtube-nocookie.com https://*.youtube-nocookie.com *.twitter.com https://*.twitter.com twitter.com https://twitter.com http://*.vimeo.com https://*.vimeo.com"
</ifModule>
# BEGIN Textpattern
#DirectoryIndex index.php index.html
<IfModule mod_rewrite.c>
RewriteEngine On
# Enable the `FollowSymLinks` option below if it isn't already.
#Options +FollowSymlinks
#RewriteBase /relative/web/path/
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.+) - [PT,L]
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*) index.php
RewriteCond %{HTTP:Authorization} !^$
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]
</IfModule>
<IfModule mod_mime.c>
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
</IfModule>
# For additional Apache-compatible web server configuration settings to enhance
# site performance and security, we recommend:
# https://github.com/h5bp/server-configs-apache/blob/master/dist/.htaccess
# END Textpattern
------------------------Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Migration issues
colak wrote #327373:
Hi guys,
1. I am having the same issue with the js not loading with some sub-domains. One of them is on respublika.neme.org/seminars/, which I recently updated to the latest txp release. The particular page should have a slide-show on the top. Currently only one slide is loading.
2. Another issue I am having is that I have a font which I am loading for the site_name (Respublika!) but it now only loads on ff.
It is the same issue as before, the resources – scripts, fonts — are not allowed by your CSP settings (odd that FX seems to allow your font(s) ? Safari does not, a long list in the console)
MDN CSP script-src and font-src in your search engine will point to the relevant docs on MDN with a readable explanation.
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Re: Migration issues
phiw13 wrote #327377:
MDN CSP script-src and font-src in your search engine will point to the relevant docs on MDN with a readable explanation.
Hi Philippe,
Thanks so much for your response. It is indeed the same issue. I have added Pete’s suggestion in this site’s htaccess file to no avail. I checked the documentation re CSP but I can not see what else I can do.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Migration issues
For your fonts problem, you need to add data:* in the font-src part (just after ‘self’ – copy from the script-src). For the script part, not sure what happens, looking closer at the console message, it looks a loading the script over http://, not https://. Hold on, I see now in the source of the page (bottom), are you hard-coding the http:// ? Changing that will help for sure.
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline