Security Policy directive on logo | Maybe env/build error?
I set up zitadel through the official helm-chart. After some starting issues I got it working. Now i wanted to customize our organization. I wanted to add a custom logo to the web-login.
- added origin to console app "https://zitadel.172.17.0.1.nip.io:4443"
- added the logo to the organisation login
- opened a new window (incognito or normal) and it doesn't load the logo
then I wen to the docker-compose to have a look at the local docker-compose setup
Here comes the same issue:
http://localhost:8080/assets/v1/346067768807849987/policy/label/logo-dark-346067955169099779' violates the following Content Security Policy directive: "img-src 'self' https://localhost". The action has been blocked.
The issue may come from this:
https://github.com/zitadel/zitadel/blob/d7e9eddb7650282c4df53f5e196ce05ec897567c/apps/login/constants/csp.js#L1-L6
In the docker-compose and in the k8s container is the ZITADEL_API_URL set, but it still says only localhost is allowed.
Is this a problem of env propagation and it can't be changed during runtime? Or is this a configuration issue?GitHub
zitadel/apps/login/constants/csp.js at d7e9eddb7650282c4df53f5e196c...
ZITADEL - Identity infrastructure, simplified for you. - zitadel/zitadel
4 Replies
Hi @ostempel, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. [Configuration Options in ZITADEL] (1) :
Covers how to configure environment variables and runtime options for ZITADEL, including how environment variables are passed and how configuration is loaded, which may impact how CSP and allowed origins are set.
2. [Helm chart env values ignored] (2) :
Discusses issues with Helm chart deployments where environment variables are not properly propagated, which could explain why your CSP or allowed origins are not updating as expected.
To learn more, see the sources I considered:
[1] Configuration Options in ZITADEL
[2] Helm chart env values ignored
Feel free to tag @Ask Inkeep with additional questions.
Got it. Tagging @Rajat for additional help.
Hey @ostempel thank you for your question, changing logos should happen in real time.
Just to be sure, can you please check if You are enable to change logo(top right settings-> scroll down to Branding) and see if you can achieve the same result or not.
Thanks
@Rajat
Hey thank you for the fast response. Still the same. On the logout I can see the logo, but if I go then to "Sign in" I get the normal placeholder and the csp issue in the console.
hey @ostempel does the behaviour ALSO exist the same while doing it via incognito window too(via UI), correct?.
Could you please share your console and network tab screenshots?. Thanks