I appear to be missing some package/library prerequisite but not sure what, exactly. (See screenshot of admin area) Is this Cloudflare related?

[Incog]

Per the documentation:

 

Quote

 

Cloudflare

Widgets do not appear in the client or admin areas, CSS or Javascript does not appear to load or Blesta doesn't look right.

Disable Rocket Loader and Auto Minify within Cloudflare. We would recommend not using Cloudflare for Blesta at all if possible.

 

 

Neither Auto Minify or Rocket Loader were/are enabled. I cleared CF cache for good measure as well. Is what I'm seeing still related to Cloudflare? Just curious since my site uses CF for SSL Certs, but I can swap those for Let's Encrypt or similar instead of relying on Cloudflare for them if I need to.

[Paul]

If you disable cloudflare so that they just direct traffic to the server's IP, does it resolve the issue?

Is this a fresh installation? If it's a fresh install, there could be missing files or the installation may not have completed correctly. Your browsers inspector may give a better indication if any files (like CSS and Javascript files) are missing and returning a 404 error.

[Incog]

26 minutes ago, Paul said:

If you disable cloudflare so that they just direct traffic to the server's IP, does it resolve the issue?

Is this a fresh installation? If it's a fresh install, there could be missing files or the installation may not have completed correctly. Your browsers inspector may give a better indication if any files (like CSS and Javascript files) are missing and returning a 404 error.

Ah, and there it is.  Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”).

Some cookies are misusing the recommended “SameSite“ attribute 2
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”). onloadwff.js:71:790746
Layout was forced before the page was fully loaded. If stylesheets are not yet loaded this may cause a flash of unstyled content. jquery-1.8.3.min.js:2:91186
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”). admin:287:1
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”). admin:409:1

Was about half awake when messing with this fresh install, and hadn't occurred to me that I'm running a pretty strict set of security headers.  Nginx's content security headers are set to 'self', so it's not going to load 3rd party elements/scripts, nor do I want it to.

That probably gave me enough details to sort this out. I don't believe that it's related to Cloudflare, but we're just temporarily using them to host DNS / get the site up.

 

 

[Paul]

17 minutes ago, IncogHost said:

Was about half awake when messing with this fresh install, and hadn't occurred to me that I'm running a pretty strict set of security headers.  Nginx's content security headers are set to 'self', so it's not going to load 3rd party elements/scripts, nor do I want it to.

That probably gave me enough details to sort this out. I don't believe that it's related to Cloudflare, but we're just temporarily using them to host DNS / get the site up.

All of the resources should be loaded locally and not via an external URL. Or, does a Content-Security-Policy of "self" mean that you cannot load resources from a subdomain even if the application is on the same subdomain? Maybe the policy needs to be modified to include the subdomain.

[Incog]

1 hour ago, Paul said:

All of the resources should be loaded locally and not via an external URL. Or, does a Content-Security-Policy of "self" mean that you cannot load resources from a subdomain even if the application is on the same subdomain? Maybe the policy needs to be modified to include the subdomain.

Good call, it's been amended properly however the issue persists. There should be no caching at the Cloudflare level.

Without having to transfer DNS elsewhere just to test, is there anything else you can think of?

Temporarily I've disabled the https redirect in my nginx .conf for this domain, and with Cloudflare. I passed traffic straight to the sub-domain, no CF, purged cache. Still no widgets in the admin area. See below:

[Incog]

Alright, it's not Cloudflare. For some reason these elements refuse to load with the content security header in place preventing any 3rd party/non-local elements. Any ideas? I've commented the security header out which is a temporary fix at best, but not something I want to push into production.

 

 

[Paul]

On 1/14/2021 at 9:14 PM, IncogHost said:

Alright, it's not Cloudflare. For some reason these elements refuse to load with the content security header in place preventing any 3rd party/non-local elements. Any ideas? I've commented the security header out which is a temporary fix at best, but not something I want to push into production.

 

 

The widgets are loaded via AJAX but they should be using the same hostname for those requests. I'm not sure why your security policy would have an issue with that, or what the proper solution would be. I guess the question is, what does the rule require, and why does the loading of widgets violate that rule?

I suppose you should double check that the hostname is correct under Settings > System > Companies: Edit.