Buttons not working after fresh install of osTicket 1.16.3

KevinTheJedi

That is very interesting. I’m unable to replicate this locally with the same version. 🤔

Cheers.

KevinTheJedi

You definitely have JS/jquery issues as I noticed the reply box isn’t loading Redactor, the User box isn’t the full width, etc. There has to be errors somewhere. Maybe check the Apache logs?

Cheers.

Arao

KevinTheJedi

I checked the Apache logs again but there is nothing of significance for that time period.

172.25.1.1 - - [06/Jul/2022:07:55:24 +0530] "GET /scp/tickets.php?id=2690&_pjax=%23pjax-container HTTP/1.1" 200 10990 "https://support.example.in:6443/scp/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
172.25.1.1 - - [06/Jul/2022:07:55:56 +0530] "GET /scp/ajax.php/queue/counts HTTP/1.1" 200 1067 "https://support.example.in:6443/scp/tickets.php?id=2690" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
172.25.1.1 - - [06/Jul/2022:08:00:30 +0530] "GET /scp/ajax.php/help/tips/tickets.queue HTTP/1.1" 200 3153 "https://support.example.in:6443/scp/tickets.php?id=2690" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"

Daedalus01

Try using the inspector mode to see if its showing any errors. It's helped me out in the past. I know for FireFox they key is F12 to enable it. I am not sure about Chrome.

KevinTheJedi

Daedalus01

For chrome you can do F12 or right click anywhere on the page and click Inspect.

Cheers.

Arao

Thanks @Daedalus01 and @KevinTheJedi

You are right, the errors were in the browser. It appears to be related to Content Security Policy (CSP).

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”).

Arao

Oh, forgot to mention that I do have a pop-up / ad blocker named uBlock installed on both browsers but it is fully disabled for this website. Moreover, my colleague doesn't have this blocker add-on but has the same problem with the buttons.

KevinTheJedi

Arao

The first thing you posted about CSP (Content-Security-Policy) is the issue. It seems like your browser and/or webserver has a strict CSP header enabled that is preventing the JS from loading. The only CSP header we set is frame-ancestors which is for iFrames, not scripts. This leaves the CSP default-src, script-src, etc. headers to the mercy of the webserver and/or browser. If you have access to the webserver you can fix this via the .htaccess for the site. There you can add a CSP header that suits your needs:

CSP Header

https://content-security-policy.com/

Adding CSP Headers via `.htaccess`

https://content-security-policy.com/examples/htaccess/

Cheers.

Arao

Thanks @KevinTheJedi . Yes, I was working exactly on fixing my CSP headers in ssl-params.conf because that is where I had put in the directives.

If it is any helpful, I tried a few combinations but it didn't work. So, the temporary solution is to disable CSP completely for now. Magically, the all the issues I reported earlier vanished!

I will post the headers once I get it to work fully on Apache.

Appreciate your help.

Cheers

Arao

Hi,

For anyone interested, I got this basic config working in ssl-params.conf although it can be in your apache2.conf / .htaccess / VirtualHost config file. If you are running sensitive or production level sites, it is best you consult with your Web Administrator before adding these directives as it is not meant to be foolproof.

support.example.in is my specific sub-domain where osTicket is installed.

Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' support.example.in fonts.googleapis.com fonts.static.com www.google-analytics.com;"

All buttons and functions are working normally for now.

Thanks,
Arao

Arao

Hi @KevinTheJedi ,

Had to revive this thread as I am facing a minor issue with the text composing editor. The screenshot below shows the missing buttons but clicking a button does perform the desired function.

The problem exists on both Chrome and Firefox. I did play around with security settings on the browser but to no avail.

Any clues?

Thanks,
Arao

KevinTheJedi

Arao

Sounds like JS issues again. Remove all security settings to test.

Cheers.

Arao

Thanks @KevinTheJedi . Definitely yes, they start to work as soon as I disable the security settings I posted earlier.

Regards,
Arao

KevinTheJedi

Arao

Need to modify your security settings again 😉

Cheers.