Content Security Policy: The page's settings blocked the loading of a resource at

I am running gitlab with apache web server as a proxy on debian. This was running fine for some time.
One day, after I didn’t use the web interface for some time, I found the login screen with missing icons and probably no CSS (as far as a non-web-dev could tell)
I started to google and found various hints that lead to the following actions and observations:

  • This happens on both Firefox and Chrome
  • I can fix this, by disabling CSP (security.csp.enable = false) in the browser
  • Firefox Shift-F5 Konsole shows 4 lines with “Content Security Policy;; the page’s settings blocked the loading of a resource at inline (“default-src”).”
    Then another line with “data:image/gif;base64,R0lGODlhAQABAAAAAC…” instead of “inline”
    Finally an:
Uncaught ReferenceError: gon is not defined
    zf8v webpack.js:10
    Webpack 9

I tried updating to the latest version. I am now at 14.7, but that didn’t make a change.

I am happy get a fix for this and I would provide any information, needed.
But I would also like to understand what is really happening. I roughly understand what CSP is, but I don’t believe I am supposed to hack gitlabs code to fix this. So, what can it be?

Thanks for helping

Some luck pushed me into the right direction today and I found out, what the problem was. Especially, that the problem would lie outside of the configuration of gitlab. I though, it’s a gitlab problem more or less, because the gitlab appearance was much more affected than e.g. the nextcloud. The problem was in the security configuration of apache.

Some weeks ago, I came across a website, that promised to find security issues with webbrowsers. I gave it a try and it told me a few spots, that could be configured more strictly to improve security. I applied a few configuration changes and it appeared to work fine.

Obviously I did not properly check all aspect of the servers functioning, so I missed the broken gitlab. When I came back weeks later, I had forgotten about the security configuration.

The line, that caused above mentioned errors was:
Header always set Content-Security-Policy "default-src 'self'"

I am not sure, if there is not something more precise, that would still allow to apply the setting but offer exceptions for the exact things I need on the particular site. But, for now, I am happy to have a functioning server.

Thanks to anyone who gave it a thought, though.