openSUSE admin

The browser console logs the following:

Content-Security-Policy: The page’s settings blocked the loading of a resource (connect-src) at http://code.opensuse.org/crameleon/test1/issue/1/comment/1963/edit?js=1 because it violates the following directive: “default-src 'self'”

I think the issue is with it calling plain "http", but self would rightfully only match "https". Maybe similar to https://progress.opensuse.org/issues/152709 ?

I will say, I do see a fair number of things kicking me back and forth from https to http when using code.o.o, the only reason I notice is because I have an "https-only" extension running in firefox, so I get a splash screen when it does it.

No idea if that's got anything to do with it.

I identified the issue to be with the nginx being configured to set an X-Forwarded-Proto header:

https://code.opensuse.org/heroes/salt/blob/production/f/pillar/role/pagure.sls#_54

This overwrites the X-Forwarded-Proto header, which our TLS terminating frontend proxy (HAProxy) sets to https:

https://code.opensuse.org/heroes/salt/blob/production/f/pillar/cluster/common/public_proxy.sls#_16

with http, since the backend connection is using plain HTTP.

I tried simply removing the option, however it would still set it - I could not find a way to have nginx preserve the existing X-Forwarded-Proto header from HAProxy. Hardcoding https however works, and I think is an acceptable workaround, since we do not allow any public plain HTTP connectivity anyways through permanent redirect, and since we already implement this practice for lists.opensuse.org, which had the same issue.

I already implemented this temporarily and will follow up with the permanent patch.

Yup, appears to be working as expected now.