[resolved] Popups don't work and avatars don't load

0x0539

System info
Ubuntu: 20.04.1 LTS
Apache: 2.4.41
MySQL Version: 10.3.25
PHP: 7.4.3
osTicket: 1.15.1

Problem description
I'm unable to change some settings, a couple buttons don't seem to be working. I looked it up and found a couple issues/threads before, apparently had something to do with ajax:
https://forum.osticket.com/d/80061-buttons-not-working-popups-not-displaying
https://forum.osticket.com/d/90079-resolved-error-with-ajaxphp-actions

Neither of them solves my issue

Troubleshooting done:

Reinstalled everything multiple times with complete removal
Setting up cgi.fix_pathinfo=1 in both cli / fpm php.ini files
Restarting apache
Restarting the server
Tested on another browser

Question
Does anyone know how to fix it?

Examples
Example 1: After saving it resets back to the previous page because the "add" button doesn't work
Example 2: Cancel button not functioning at all

ntozier

This looks like AJAX issues to me. Are you running anything like mod_security or SELinux?

0x0539

ntozier I am not, is it required?

ntozier

No. But they have both been known to cause AJAX issues (lack of pop ups, etc).

0x0539

I am running very scrict headers in my apache config, could this be related?

- Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
- Header always append X-Frame-Options DENY
- Header always set Feature-Policy "fullscreen 'none' "
- Header set X-Content-Type-Options nosniff
- Header set X-XSS-Protection "1; mode=block"
- Header set X-Permitted-Cross-Domain-Policies "none"
- Header set Content-Security-Policy "default-src 'self';"
- Header set Referrer-Policy "no-referrer"
- Header always set Permissions-Policy "geolocation=();midi=();notifications=();push=();sync-xhr=();microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();"

ntozier

Best way to find out in my experience is to shut it off and see if the problems go away. If they do then you have discovered the culprit. You can always turn them right back on. 🙂

0x0539

Problem solved by removing the following header:
Header set Content-Security-Policy "default-src 'self';"

Will look if the I can fix it without turning it off completely, thanks for the fast replies!

0x0539

Issue caused by security headers, fixable by removing completely or using the following:

Header set Content-Security-Policy "img-src https: www.gravatar.com;"
This way the ajax will work, avatars will too if you've selected gravatars and keep some sort of security 🙂

ntozier

Very welcome. And thanks for posting your solution here for other folks to use as well.

If I am correct you are currently using the following headers for your site of:

- Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
- Header always append X-Frame-Options DENY
- Header always set Feature-Policy "fullscreen 'none' "
- Header set X-Content-Type-Options nosniff
- Header set X-XSS-Protection "1; mode=block"
- Header set X-Permitted-Cross-Domain-Policies "none"
- Header set Content-Security-Policy "img-src https: www.gravatar.com;"
- Header set Referrer-Policy "no-referrer"
- Header always set Permissions-Policy "geolocation=();midi=();notifications=();push=();sync-xhr=();microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();"

I usually try to troll the forums at from 9a - 5pm EST Mon-Fri. I sometimes check them on the weekends also. So you will at least get faster answers from me during those hours.

0x0539

ntozier That is correct. 😀

ntozier

Perfect thanks.

I'll mark this thread as resolved and close it. Please feel free to start a new thread if you have another question, comment, etc.