Wrong Content Security Policy in Postal responces

[klebed]

After setting up recent version of postal, I have problems with some actions. Some of them seems like related to CSP setup. Your application scripts is using evals and some inline stuff, but only 'self' are permitted by CSP header in postal.

Therefore I had to use nginx proxy_hide_header to override it and get rid of the errors and network request blockage by browser. It's valid workaround, but I believe it should be defined by developer to make things safe and yet convenient.

Please review it for better compatibility with modern browsers.

Something like that:

Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; child-src 'self'; object-src 'none';"

[adamcooke]

I've never had an issue with the CSP settings on Postal. It works fine for me. Please provide additional information about what is actually happening and on which pages. Nothing in Postal should be inline so if it is that should be fixed.

Removing the CSP header is unrecommended and may introduce scope for cross site scripting issues.

[klebed]

I'm not removing header. I'm overriding it with different set of policies.

I've started to search for potencial problem when I was unable to build new server for second organisation. Actually it's almost no way to setup second organisation... Only once it worked, when I added second admin user and he was able to manage his own organisation, but first admin user was not able to do so.
When I try to build mail server to second organisation it hangs, and in console I see following: "Unsupported return."

With default CSP header I'm getting this errors in browser console (But now I think it is related to plugins in browser, like ghostery...):

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://postal.somesite.tld”). Source: (function(){"use strict";function getWra.... postal.somesite.tld:1
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://postal.somesite.tld”). Source: !function(){let win=window;function null.... postal.somesite.tld:1
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://postal.somesite.tld”). Source: !function(){let win=window;!function()
.... postal.somesite.tld:1
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://postal.somesite.tld”). Source: call to eval() or related function blocked by CSP. (unknown)
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://postal.somesite.tld”). Source: onfocusin attribute on DIV element. postal.somesite.tld

[adamcooke]

Browser plugins could cause issues like this with the CSP. I have no intention to allow inline javascript to be executed as this poses a risk when rendering HTML emails received from users.

Please try the same actions again with the original CSP and without browser extensions so we can check to see if that was causing your issues.

[klebed]

Got it already solved. Initial topic about CSP is not relevant. The cause - is the ublock origin, because it triggered part of org name and blocked requests with it in url.
Solutions are:

1. [User-side] Turn off all adblockers on particular domain. Warn users about probable issues with adblockers.
2. [Developer side] Slightly change API, and send organisation names (and other custom names, defined by users) in post body.

[willpower232]

I stumbled upon this today

A quick dig suggests it might be related to jQuery which looks like it does some detection using focusin so unless Postals UI is updated to avoid it, I don't think theres an easy fix.