PieFed help

1223 readers

8 users here now

It's seems right that we should have a local community to help us all with PieFed

Rules

Be kind! We're all learning

founded 2 years ago

MODERATORS

007@piefed.social

Displaying Images From View Community (kopitalk.net)

submitted 6 days ago* (last edited 5 days ago) by pathwonder@kopitalk.net to c/piefed_help@piefed.social

5 comments fedilink hide all child comments

Sorry, new guy here.

So about images, on my desktop browser, when I click just on the thumbnail to the side, I'm expecting the image to display. But the image loading graphics just keep looping without any image.

If I click the post, the image typically displays as expected.

On Voyager, tapping the thumbnail loads the image to the screen as expected.

you are viewing a single comment's thread
view the rest of the comments

[–] wjs018@piefed.social 4 points 6 days ago (3 children)

So, I just visited your instance and there is definitely an issue...but I am not sure I will really be of much help. When I click an image, it looks like the lightbox javascript is being blocked by the CSP. Here is what I see in the browser console:

The CSP that ships with piefed should allow the lightbox to run without issue. Perhaps there is a reverse proxy or CDN applying a stricter CSP? Maybe a browser plugin of some kind?

This kind of web admin stuff isn't really my area of expertise though.

[–] rimu@piefed.social 3 points 5 days ago (1 children)

That's it, yes.

If we use the browser dev tools to look at the CSP header that the HTML page returns, we can see that piefed.social has a different one than kopitalk.net. Below is piefed.social's one:

It's probably cloudflare or nginx causing that.

[–] pathwonder@kopitalk.net 1 points 5 days ago* (last edited 5 days ago) (1 children)

#solved

EDIT: 2025-10-25 at 11h29 - I deleted the Content-Security-Policy and PieFed displays images as expected.

Reasoning

So after crawling through some very old Reddit posts, I came across other self-hosters discussing their new found interest in Security Headers from 5 years ago (dated, yes). Among the comments was a post by pentesticals (glorious):

quote

Don't stress about security headers and CSP. These are there to help provide additional protection against client-side issues which may or may not be present.

These will not have any direct impact on your services you expose, rather they aim to be a last resort to protect your browser in case an attacker tries to exploit existing vulnerabilities such as a Cross Site Scripting - but not having these does not increase the risk of your server being compromised.

Use Nessus Essentials for scanning your services and have fun.

https://www.reddit.com/r/selfhosted/comments/mpzl8f/any_recommendations_for_security_scans/

I use Caddy and I can indeed see the security headers that involve CSP. How should this setting be amended?

For what it's worth I looked over the "Using Caddy as reverse proxy" for Lemmy, and I notice that they just don't use the Content-Security-Policy option at all. I'm wondering if I should simply delete this Header for PieFed.

https://join-lemmy.org/docs/administration/caddy.html

Security Headers

(security_headers) {  
  header {  
    Strict-Transport-Security "max-age=31536000; includeSubDomains"  
    X-Content-Type-Options "nosniff"  
    X-Frame-Options "SAMEORIGIN"  
    Referrer-Policy "no-referrer"  
    X-XSS-Protection "1; mode=block"  
    Permissions-Policy "camera=(), microphone=(), geolocation=(), accelerometer=(), autoplay=(), fullscreen=(), gyroscope=(), interest-cohort=(), magnetometer=(), payment=()"  
    -Server  
    -x-powered-by  
  }  
}

[–] rimu@piefed.social 3 points 5 days ago

Yes when CSP was new it may sometimes have been beneficial to add them (although most of the time it would cause breakage) but these days most web apps will be setting that header themselves in a way that is appropriate for the app.

load more comments (1 replies)