[GH-ISSUE #688] Cannot load after login #447

New issue

Closed

opened 2026-02-25 21:35:03 +03:00 by kerem · 1 comment

kerem commented

2026-02-25 21:35:03 +03:00

Owner

Originally created by @undergroundwires on GitHub (Mar 10, 2023).
Original GitHub issue: https://github.com/cypht-org/cypht/issues/688

🐛 Bugreport

After logging in (password + MFA), I get an empty page (completely blank HTML).

This has been working before using content-security-policy: default-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; header.

I could be able to solve this issue by refreshing the page afterwards but it does not seem to work anymore.

I see no related errors in neither Chromium-based and Firefox browsers.

Version & Environment

Using image sailfrog/cypht-docker:latest.

Reproduce

Add header content-security-policy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content;
Verify blank page.

Originally created by @undergroundwires on GitHub (Mar 10, 2023). Original GitHub issue: https://github.com/cypht-org/cypht/issues/688 ## 🐛 Bugreport After logging in (password + MFA), I get an empty page (completely blank HTML). This has been working before using `content-security-policy: default-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content;` header. I could be able to solve this issue by refreshing the page afterwards but it does not seem to work anymore. I see no related errors in neither Chromium-based and Firefox browsers. ### Version & Environment Using image `sailfrog/cypht-docker:latest`. ### Reproduce 1. Add header `content-security-policy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content;` 2. Verify blank page.

kerem closed this issue

2026-02-25 21:35:03 +03:00

kerem commented

2026-02-25 21:35:03 +03:00

Author

Owner

@undergroundwires commented on GitHub (Mar 10, 2023):

Adding script-src 'unsafe-eval' solved the issue. I seem to have find the most restrictive functioning CPS for the website: content-security-policy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content;.

@undergroundwires commented on GitHub (Mar 10, 2023): Adding script-src 'unsafe-eval' solved the issue. I seem to have find the most restrictive functioning CPS for the website: `content-security-policy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content;`.

kerem referenced this issue

2026-02-25 21:36:19 +03:00

[PR #447] [MERGED] make copy/move buttons work everywhere :All Mails, simple search and … #819