Refused to load the image (ServerAlias w/apache2)

SamuelCUGNIN · April 29, 2022, 6:36am

Hello,

I currently have a virtualhost with a working ServerName, and a ServerAlias that returns an error and a blank page when loading.

I found this error via the browsers DevTools:

Refused to load the image '< URL >' because it violates the following Content Security Policy directive: "img-src 'self'".

login:37 
        
       Refused to load the image 'https://***.********.**/favicon.ico' because it violates the following Content Security Policy directive: "img-src 'self'".

login:38 
        
       Refused to load the image 'https://***.********.**/favicon_32.png' because it violates the following Content Security Policy directive: "img-src 'self'".

login:39 
        
       Refused to load the image 'https://***.********.**favicon_57.png' because it violates the following Content Security Policy directive: "img-src 'self'".

login:40 
        
       Refused to load the image 'https://***.********.**/favicon_76.png' because it violates the following Content Security Policy directive: "img-src 'self'".

login:41 
        
       Refused to load the image 'https://***.********.**/favicon_96.png' because it violates the following Content Security Policy directive: "img-src 'self'".

login:42 
        
       Refused to load the image 'https://***.********.**/favicon_128.png' because it violates the following Content Security Policy directive: "img-src 'self'".

login:43 
        
       Refused to load the image 'https://***.********.**favicon_192.png' because it violates the following Content Security Policy directive: "img-src 'self'".

login:44 
        
       Refused to load the image 'https://***.********.**/favicon_228.png' because it violates the following Content Security Policy directive: "img-src 'self'".

login:1 
        
       Refused to load the script 'https://***.********.**/js/app/stylesheet.js?v=3.5.0' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

login:1 
        
       Refused to load the script 'https://***.********.**/js/app/api-vendors.js?v=3.5.0' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

login:1 
        
       Refused to load the script 'https://***.********.**/js/app/api-triage.js?v=3.5.0' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Unfortunately, I couldn’t find anything good regarding this error, can you help me?

best regards,
samuel

garrett · April 30, 2022, 2:45am

You might need to provide more info regarding type of install, version, healthcheck, etc but generally the issue might be that your are serving a domain from a folder path but the app config file has a different domain which images are being linked to. Just a guess.

Matt_McNeil · May 24, 2022, 6:47pm

I am having a similar issue where a number of font requests are being blocked. This is with the latest version of Chrome and the passbolt extension:

Refused to load the font 'data:font/truetype;charset=utf-8;base64,d09GRgABAAAAALY3A...' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.

On the server side, we’re using the latest docker image being proxied with haproxy.