Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-14293

[REL] Admin page content blocked on v10.0.0 due to content security policy

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 10.0.0, 10.0.1
    • Fix Version/s: 10.0.2
    • Component/s: Admin - Console
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      Setup and run Keycloak 9.0.3 with:
      adminUrl = https://localhost:9081
      frontendUrl = https://localhost:9080
      forceBackendUrlToFrontendUrl = false

      Load the admin console without issue.

      Now, load the same configuration with Keycloak 10.0.0.
      Note the blank admin console main page content (the navbar content may still be visible).
      Open either Firefox or Chrome developer tools.
      Note the value of frame-src is incorrectly set to https://localhost:9080 and an error like "The page's settings blocked the loading of a resource ..."

      Show
      Setup and run Keycloak 9.0.3 with: adminUrl = https://localhost:9081 frontendUrl = https://localhost:9080 forceBackendUrlToFrontendUrl = false Load the admin console without issue. Now, load the same configuration with Keycloak 10.0.0. Note the blank admin console main page content (the navbar content may still be visible). Open either Firefox or Chrome developer tools. Note the value of frame-src is incorrectly set to https://localhost:9080 and an error like "The page's settings blocked the loading of a resource ..."
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Mailing list discussion: https://groups.google.com/forum/#!topic/keycloak-user/8RUydXHc1uA

      In environments that use the adminUrl and frontendUrl configuration parameters, the admin page content will not load on v10.0.0 due to content security policy settings.

      It appears that the same environments on v9.0.3 issue a similar header, but enforcement is active on 10.0.0.

      There is logic in AdminConsole.java that did not change materially in 10.0.0, but may need to better handle environments with adminUrl and frontendUrl set.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  stianst Stian Thorgersen
                  Reporter:
                  cgstevens56 Chris Stevens
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: