Refused to load the image (ServerAlias w/apache2)

Hello,

I currently have a virtualhost with a working ServerName, and a ServerAlias that returns an error and a blank page when loading.

I found this error via the browsers DevTools:

Refused to load the image '< URL >' because it violates the following Content Security Policy directive: "img-src 'self'".

login:37 
        
       Refused to load the image 'https://***.********.**/favicon.ico' because it violates the following Content Security Policy directive: "img-src 'self'".

login:38 
        
       Refused to load the image 'https://***.********.**/favicon_32.png' because it violates the following Content Security Policy directive: "img-src 'self'".

login:39 
        
       Refused to load the image 'https://***.********.**favicon_57.png' because it violates the following Content Security Policy directive: "img-src 'self'".

login:40 
        
       Refused to load the image 'https://***.********.**/favicon_76.png' because it violates the following Content Security Policy directive: "img-src 'self'".

login:41 
        
       Refused to load the image 'https://***.********.**/favicon_96.png' because it violates the following Content Security Policy directive: "img-src 'self'".

login:42 
        
       Refused to load the image 'https://***.********.**/favicon_128.png' because it violates the following Content Security Policy directive: "img-src 'self'".

login:43 
        
       Refused to load the image 'https://***.********.**favicon_192.png' because it violates the following Content Security Policy directive: "img-src 'self'".

login:44 
        
       Refused to load the image 'https://***.********.**/favicon_228.png' because it violates the following Content Security Policy directive: "img-src 'self'".

login:1 
        
       Refused to load the script 'https://***.********.**/js/app/stylesheet.js?v=3.5.0' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

login:1 
        
       Refused to load the script 'https://***.********.**/js/app/api-vendors.js?v=3.5.0' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

login:1 
        
       Refused to load the script 'https://***.********.**/js/app/api-triage.js?v=3.5.0' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Unfortunately, I couldn’t find anything good regarding this error, can you help me?

best regards,
samuel

You might need to provide more info regarding type of install, version, healthcheck, etc but generally the issue might be that your are serving a domain from a folder path but the app config file has a different domain which images are being linked to. Just a guess.

I am having a similar issue where a number of font requests are being blocked. This is with the latest version of Chrome and the passbolt extension:

Refused to load the font 'data:font/truetype;charset=utf-8;base64,d09GRgABAAAAALY3A...' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.

On the server side, we’re using the latest docker image being proxied with haproxy.