Hello everyone,
I was the author of the change in the Web Console. I apologize if my chance
broke any functionality. I have created a JIRA issue
<https://issues.apache.org/jira/browse/AMQ-9739>for this, I believe I don't
have permission to assign the issue, could anyone assign it to me? I will
submit a pull request today.
The issue happens because of the "upgrade-insecure-requests" CSP
header, which tells the browser to automatically upgrade to HTTPS. Changing
the jetty.xml from
```
...
<bean id="header"
class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<property name="pattern" value="*"/>
<property name="name" value="Content-Security-Policy"/>
<property name="value"
value="upgrade-insecure-requests; style-src-elem 'self'; style-src 'self';
img-src 'self'; script-src-elem 'self'; default-src 'none'; object-src
'none'; frame-ancestors 'none'; base-uri 'none';" />
</bean>
<!-- More relaxed rules to allow browsers to properly
render XML -->
<bean id="header"
class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<property name="pattern" value="/admin/xml/*"/>
<property name="name" value="Content-Security-Policy"/>
<property name="value"
value="upgrade-insecure-requests; style-src-elem 'self' 'unsafe-inline';
style-src 'self'; img-src 'self' data:; script-src-elem 'self'; default-src
'none'; object-src 'none'; frame-ancestors 'none'; base-uri 'none';" />
</bean>
...
```
to
```
...
<bean id="header"
class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<property name="pattern" value="*"/>
<property name="name" value="Content-Security-Policy"/>
<property name="value" value="style-src-elem 'self';
style-src 'self'; img-src 'self'; script-src-elem 'self'; default-src
'none'; object-src 'none'; frame-ancestors 'none'; base-uri 'none';" />
</bean>
<!-- More relaxed rules to allow browsers to properly
render XML -->
<bean id="header"
class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<property name="pattern" value="/admin/xml/*"/>
<property name="name" value="Content-Security-Policy"/>
<property name="value" value="style-src-elem 'self'
'unsafe-inline'; style-src 'self'; img-src 'self' data:; script-src-elem
'self'; default-src 'none'; object-src 'none'; frame-ancestors 'none';
base-uri 'none';" />
</bean>
...
```
Should solve the problem. Apparently Chrome handles this with no issues,
but I was able to reproduce on Safari.
Regards,
Sérgio
Em qui., 3 de jul. de 2025 às 05:41, William Crowell
<wcrow...@perforce.com.invalid> escreveu:
> JB,
>
> Thanks for your reply. Is there any documentation on how to set this up?
> This was a bit of a surprise.
>
>
> Regards,
>
>
> William Crowell
>
>
>
> From: Jean-Baptiste Onofré <j...@nanthrax.net>
> Date: Thursday, July 3, 2025 at 7:56 AM
> To: wcrow...@perforce.com.invalid <wcrow...@perforce.com.INVALID>
> Cc: users@activemq.apache.org <users@activemq.apache.org>
> Subject: Re: What changed between ActiveMQ Classic 6.1.6 and 6.1.7 where
> the images do not show up on the web user interface?
>
> Hi
>
> This is due to new "security" enforcement added to the WebConsole.
>
> If you have "custom" images, then you have to update the configuration
> in the jetty.xml to allow this.
>
> Regards
> JB
>
> On Wed, Jul 2, 2025 at 6:37 PM William Crowell
> <wcrow...@perforce.com.invalid> wrote:
> >
> > Good afternoon,
> >
> > What changed between ActiveMQ Classic 6.1.6 and 6.1.7 where the images
> do not show up on the web user interface?
> >
> > 6.1.7 release notes:
> >
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fsecure%2FReleaseNote.jspa%3FprojectId%3D12311210%26version%3D12355749&data=05%7C02%7CWCrowell%40perforce.com%7C10a8c0381b724f24cafa08ddba28b084%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C638871406123483314%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=%2BTpAn3BdGsrT0%2BNDKpP0voL0%2FZ2Bx662ctstlaSu48g%3D&reserved=0
> <
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12355749
> >
> >
> > I have changed jetty.xml (which is the only thing I have changed since
> untarring apache-activemq-6.1.7-bin.tar.gz), so that the broker listens on
> all IP addresses. It appears that the images and .css are not rendering
> correctly on the 8161 port management console, and everything seems to want
> to use https.
> >
> > Was it this change?
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-9697&data=05%7C02%7CWCrowell%40perforce.com%7C10a8c0381b724f24cafa08ddba28b084%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C638871406123506221%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=2DrHBdxYrSOu5OVgcxamO%2BjLRxxnDt4SDySi5g8M1Tg%3D&reserved=0
> <https://issues.apache.org/jira/browse/AMQ-9697>
> >
> > How do you fix this?
> >
> > Regards,
> >
> > William Crowell
> >
> >
> > This e-mail may contain information that is privileged or confidential.
> If you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org
> For additional commands, e-mail: users-h...@activemq.apache.org
> For further information, visit:
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcontact&data=05%7C02%7CWCrowell%40perforce.com%7C10a8c0381b724f24cafa08ddba28b084%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C638871406123519177%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=AT0%2BPz%2F8zxZOwQsz5F5zAlXbXxxVADNGSBcopQXHd3Q%3D&reserved=0
> <https://activemq.apache.org/contact>
>
>
>
>
> CAUTION: This email originated from outside of the organization. Do not
> click on links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
> This e-mail may contain information that is privileged or confidential. If
> you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>
