Nginx Content Security Police conflict

  • Resolved Tony Franco

    (@tony-franco)


    2 years, 10 months ago

    Dear kubiq,

    I hope you are fine!

    About Nginx, just to inform about future problems that can happen…

    Today i have saw that my images were not been served as “.webp”, after looking at nginx conf block several times, restarting nginx service and not getting ok, i made a research and find at stackoverflow that Content Security Policy could cause conflict, and that was it the problem. Now it′s working!!

    Below the code that was causing conflict:

    #prevent image hotlinking

    location ~ .(jpe?g|png|gif|ico|webp)$ {
   valid_referers none blocked mywebsite.com cdn.mywebsite.com *.mywebsite.com *.google.com *.google.com.br *.googleusercontent.com *.bing.com;
   valid_referers *.yahoo.com *.facebook.com *.twitter.com *.pinterest.com *.tumblr.com;
   valid_referers *.linkedin.com *.youtube.com *.reddit.com *.wordpress.com;
   valid_referers *.soundcloud.com *.instagram.com *.fbcdn.net fbcdn.net *.twimg.com twimg.com facebook.com twitter.com;
   if ($invalid_referer) {
      return 403;
   }
}

    If you or someone have a solution to still use the code above, i appreciate a lot!

    Thanks and Regards,

    Tony

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author kubiq

    (@kubiq)

    Hello,

    thank you very much for sharing the information ??

    I don’t think that this is default config – probably this code is generated by some security plugin, or some security module on our server
    But still… I can not see any reason why this code should block webp… well, I will test it later and let you know ??

    Have a nice day
    Jakub

    Plugin Author kubiq

    (@kubiq)

    Hello
    your code doesn’t work on my server,
    no matter if I completely deactivate Images to WebP plugin,
    of course I changed mywebsite.com to my domain,
    but it’s simply completely blocking all images

    Maybe the problem is multiple valid_referers – try to use it this way – it works for me without any problems:

    location ~ .(jpe?g|png|gif|ico|webp)$ {
    valid_referers none blocked mywebsite.com *.mywebsite.com *.google.com *.google.com.br *.googleusercontent.com *.bing.com *.yahoo.com *.facebook.com *.twitter.com *.pinterest.com *.tumblr.com *.linkedin.com *.youtube.com *.reddit.com *.wordpress.com *.soundcloud.com *.instagram.com *.fbcdn.net fbcdn.net *.twimg.com twimg.com facebook.com twitter.com;
    if ($invalid_referer) {
        return 403;
    }
}
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Nginx Content Security Police conflict’ is closed to new replies.