net::ERR_SPDY_PROTOCOL_ERROR on a fresh install

[supermamie]

I just installed lufi on my YunoHost instance and when I am connected, everything is fine. (I set it as private)
But when I send a link to someone else, no js or css are loaded.

The Content Security Policy 'default-src https: data: 'unsafe-inline' 'unsafe-eval'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
k2kGh2c3RO:19 GET https://upload.myserver.fr/js/ie-detection.js net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:18 GET https://upload.myserver.fr/css/lufi.css net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:25 GET https://upload.myserver.fr/img/lufi-min.png net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:76 GET https://upload.myserver.fr/js/jquery-2.2.4.min.js net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:17 GET https://upload.myserver.fr/css/materialize.min.css net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:78 GET https://upload.myserver.fr/js/lufi-common.js net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:96 GET https://upload.myserver.fr/js/filesize.min.js net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:104 GET https://upload.myserver.fr/js/sidenav.js net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:98 GET https://upload.myserver.fr/js/lufi-down.js net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:97 GET https://upload.myserver.fr/js/sjcl.js net::ERR_SPDY_PROTOCOL_ERROR
k2kGh2c3RO:103 GET https://upload.myserver.fr/js/materialize.js net::ERR_SPDY_PROTOCOL_ERROR
/img/favicon.png:1 GET https://upload.myserver.fr/img/favicon.png net::ERR_SPDY_PROTOCOL_ERROR
/img/lufi128.png:1 GET https://upload.myserver.fr/img/lufi128.png net::ERR_SPDY_PROTOCOL_ERROR
/img/lufi196.png:1 GET https://upload.myserver.fr/img/lufi196.png net::ERR_SPDY_PROTOCOL_ERROR

side note : I have my TLS configuration to modern (if it can have some impact)

[kay0u]

Hi, thank you for your report.

I can't reproduce this bug, can you try with another browser please?

[supermamie]

Both tests were done in Chrome and Chromium.
I didn't test in Firefox because I was connected but I opened a private session and it works.
I also tried in Firefox Focus on my phone and it works too.

So the problem is just Chrom*

(and maybe some other Chromium implementations)

[supermamie]

Tested also on Vivaldi (which uses Chromium), and it fails too.

[kay0u]

Are you using an old version of Chrom*?

https://blog.chromium.org/2016/02/transitioning-from-spdy-to-http2.html

Update: To better align with Chrome's release cycle, SPDY and NPN support will be removed with the release of Chrome 51.

I'll try to install Vivaldi I can't reproduce with Vivaldi either.

[supermamie]

I'm using Chromium Version 76.0.3809.87 (no idea about the chrome version used for the other test)

[kay0u]

@ldidry maybe? Do you have any idea about that?

[ldidry]

Seems more a problem with web server or browser than Lufi to me. @supermamie, can you provide us a copy of the Content-Security-Header sent by your Lufi, please?

[supermamie]

In chrome I can not show them, no idea why.
In Firefox, here are the headers received, for /css/materialize.min.css (the same one are send for the other files)

HTTP/2.0 200 OK
server: nginx
date: Mon, 12 Aug 2019 12:15:47 GMT
content-type: image/x-icon
content-length: 15086
x-sso-wat: You've just been SSOed
set-cookie: SSOwAuthRedirect=;; Path=/yunohost/sso/; Expires=Thu, 01 Jan 1970 00:00:00 UTC; Secure; HttpOnly; SameSite=Lax ;;
x-content-type-options: nosniff
accept-ranges: bytes
last-modified: Mon, 06 Aug 2018 23:15:41 GMT
cache-control: max-age=2592000, must-revalidate
content-security-policy: upgrade-insecure-requests
etag: "23bca2ed764885d1b39000246367dfe6"
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=63072000; includeSubDomains; preload
content-security-policy-report-only: default-src https: data: 'unsafe-inline' 'unsafe-eval'
x-download-options: noopen
x-permitted-cross-domain-policies: none
X-Firefox-Spdy: h2

[ldidry]

content-security-policy: upgrade-insecure-requests

This is not what Lufi itself send by default. So I guess there is a problem with YNH Nginx configuration or with SSOwat (I have no idea of how it works).

[supermamie]

I just had a look in /etc/nginx/conf.d/lufi.myserver.fr.conf and there is

    # Ciphers with modern compatibility
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
    # The following configuration use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:EC$
    ssl_prefer_server_ciphers on;


    # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
    # https://wiki.mozilla.org/Security/Guidelines/Web_Security
    # https://observatory.mozilla.org/

    more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";

    more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
    more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'";
    more_set_headers "X-Content-Type-Options : nosniff";
    more_set_headers "X-XSS-Protection : 1; mode=block";
    more_set_headers "X-Download-Options : noopen";
    more_set_headers "X-Permitted-Cross-Domain-Policies : none";
    more_set_headers "X-Frame-Options : SAMEORIGIN";

All of this is linked to the modern configuration in https://yunohost.org/#/security_en

[ldidry]

Those two lines are the problem:

more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'";

[kay0u]

Thank you @ldidry !!

@supermamie could you please comment these lines (with a #) and do:

systemctl reload nginx

And tell me if that fixes your problem.

[supermamie]

Same error in chrome (due to some cache ?).

[HugoPoi]

I have the same issue, I think there is conflict when sub-folder url is used for lufi