• Resolved kiikiikii

    (@kiikiikii)


    I’m sure it’s something on my end (user error), but images are broken in my backend. If I right click and view the url / image, it actually shows up. I guess just Ninja is stopping them from rendering.

    Which setting would stop images from loading in? Thanks in advance.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author nintechnet

    (@nintechnet)

    If you disable NinjaFirewall, can you see the image?

    Yep, if I disable Ninja I can see the images in my dash.

    Plugin Author nintechnet

    (@nintechnet)

    Did you enable one or more options from the “Firewall Policies > Advanced Policies > HTTP response headers” section?

    I did.

    Yes
    SAMEORIGIN
    Set to “1”
    Samesite=Lax
    No
    1 Year

    • This reply was modified 4 months, 4 weeks ago by kiikiikii.
    Plugin Author nintechnet

    (@nintechnet)

    It could be the “Strict-Transport-Security” policy if, for instance, you connect to your site over HTTPS but still have images served over HTTP. Open your browser’s console (CTRL + Shift + J) and check if you see any error or security warning. As indicated in the doc (see https://blog.nintechnet.com/securing-wordpress-with-a-web-application-firewall-ninjafirewall/#advanced-policies ), any blocked request will be displayed there.

    If it’s not related to HTTP headers, it should be written to the “Logs > Firewall Log”. Did you check it?

    Changing the Strict Transport Security option off didn’t help but you’re right, I found a ton of blocked images/ errors (these aren’t all of them, just a few):

    Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src 'self' *.gravatar.com *.wp.com *.w.org *.cldup.com woocommerce.com data:".
    
    admin.php?page=wc-addons:1 Refused to load the image 'https://d3t0oesq8995hv.cloudfront.net/add-ons/subscriptions-icon@2x.png' because it violates the following Content Security Policy directive: "img-src 'self' *.gravatar.com *.wp.com *.w.org *.cldup.com woocommerce.com data:".
    
    admin.php?page=wc-addons:1 Refused to load the image 'https://d3t0oesq8995hv.cloudfront.net/add-ons/bookings-icon@2x.png' because it violates the following Content Security Policy directive: "img-src 'self' *.gravatar.com *.wp.com *.w.org *.cldup.com woocommerce.com data:".
    
    admin.php?page=wc-addons:1 Refused to load the image 'https://d3t0oesq8995hv.cloudfront.net/add-ons/memberships-icon@2x.png' because it violates the following Content Security Policy directive: "img-src 'self' *.gravatar.com *.wp.com *.w.org *.cldup.com woocommerce.com data:".
    
    admin.php?page=wc-addons:1 Refused to load the image 'https://d3t0oesq8995hv.cloudfront.net/add-ons/generic.png' because it violates the following Content Security Policy directive: "img-src 'self' *.gravatar.com *.wp.com *.w.org *.cldup.com woocommerce.com data:".
    
    admin.php?page=wc-addons:1 Refused to load the image 'https://d3t0oesq8995hv.cloudfront.net/add-ons/generic.png' because it violates the following Content Security Policy directive: "img-src 'self' *.gravatar.com *.wp.com *.w.org *.cldup.com woocommerce.com data:".
    • This reply was modified 4 months, 3 weeks ago by kiikiikii.
    • This reply was modified 4 months, 3 weeks ago by kiikiikii.
    • This reply was modified 4 months, 3 weeks ago by kiikiikii.
    Plugin Author nintechnet

    (@nintechnet)

    They are blocked by the “Set Content-Security-Policy for the website frontend” that you have enabled.
    In the “Content-Security-Policy” textarea, locate this directive:

    img-src 'self' *.gravatar.com *.wp.com *.w.org *.cldup.com woocommerce.com data:

    Add *.cloudfront.net after woocommerce.com so that it looks like this:

    img-src 'self' *.gravatar.com *.wp.com *.w.org *.cldup.com woocommerce.com *.cloudfront.net data:

    That fixed it! Thank you so much.

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.