ui icon indicating copy to clipboard operation
ui copied to clipboard
verified publisher icon temporalio

TEMPORAL_UI_PUBLIC_PATH (hosting the ui server in a sub directory) is broken in docker container tag 2.25.0

Open robcao opened this issue 1 year ago • 2 comments

Describe the bug

Between temporalio/ui:2.24.0 and temporalio/ui:2.25.0, a content-security-policy was added to the UI. This is breaking the UI server when being hosted in a sub-directory.

    <meta http-equiv="content-security-policy" content="script-src 'strict-dynamic' 'sha256-uL3lw718LXf98/HXcl2fdTthcTdRMXQVh21D5X8Kejk='">

To Reproduce Steps to reproduce the behavior:

I have set up a repository with a minimum reproducible sample here: https://github.com/robcao/temporal-ui-server-csp-reproduction

You can pull down the repository and run docker compose up in the root directory. It's based off of the postgres docker compose here, but using tag 2.25.0 of the ui server.

The compose file sets the TEMPORAL_UI_PUBLIC_PATH environment variable value to /rob-test, which serves the UI at http://localhost:8080/rob-test/namespaces/default/workflows

I validated that this does not occur in version 2.24.0, which can also be tested by changing the UI tag in the .env file.

  1. In the root directory, run docker compose
  2. Open a browser, and then navigate to http://localhost:8080/rob-test/namespaces/default/workflows. Validate that the UI is not loading.

Expected behavior A clear and concise description of what you expected to happen.

Temporal UI loads as expected when navigating to http://localhost:8080/rob-test/namespaces/default/workflows

Screenshots If applicable, add screenshots to help explain your problem.

image

The following error is thrown in the browser console:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' 'sha256-uL3lw718LXf98/HXcl2fdTthcTdRMXQVh21D5X8Kejk='". Either the 'unsafe-inline' keyword, a hash ('sha256-NuXOv6GpxZobAYIbHcLy18Pi7TdwsgzzWaD6zdhl2EY='), or a nonce ('nonce-...') is required to enable inline execution.

Desktop (please complete the following information):

  • OS: WSL2/Ubuntu 22.04 : Windows 10 Enterprise 22H2 Build 19045.4170
  • Browser: Chrome 122.0.6261.131 (Official Build) (64-bit)
  • Version: temporalio/ui:2.25.0

Additional context

Potentially caused by the upgrade to svelte 4 perhaps?

robcao avatar Mar 21 '24 16:03 robcao

Thanks for reporting! It was due to the addition of the csp config of Sveltekit https://github.com/temporalio/ui/pull/1903.

I'll update the directives to fix this.

Alex-Tideman avatar Mar 26 '24 02:03 Alex-Tideman

@Alex-Tideman Hello! Have you fixed it?

MicleMaslow avatar May 03 '24 07:05 MicleMaslow

Fixed with https://github.com/temporalio/ui/pull/2103

Alex-Tideman avatar May 09 '24 21:05 Alex-Tideman