Hi Sergio- Thank you for monitoring the list and providing the fix. Are you able to make another PR for this fix?
Thanks, Matt Pavlovich > On Jul 3, 2025, at 1:14 PM, Sérgio Damo de Lemos <sergio.d.le...@gmail.com> > wrote: > > Hello everyone, > > I was the author of the change in the Web Console. I apologize if my chance > broke any functionality. I have created a JIRA issue > <https://issues.apache.org/jira/browse/AMQ-9739>for this, I believe I don't > have permission to assign the issue, could anyone assign it to me? I will > submit a pull request today. > > The issue happens because of the "upgrade-insecure-requests" CSP > header, which tells the browser to automatically upgrade to HTTPS. Changing > the jetty.xml from > > ``` > ... > <bean id="header" > class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule"> > <property name="pattern" value="*"/> > <property name="name" value="Content-Security-Policy"/> > <property name="value" > value="upgrade-insecure-requests; style-src-elem 'self'; style-src 'self'; > img-src 'self'; script-src-elem 'self'; default-src 'none'; object-src > 'none'; frame-ancestors 'none'; base-uri 'none';" /> > </bean> > <!-- More relaxed rules to allow browsers to properly > render XML --> > <bean id="header" > class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule"> > <property name="pattern" value="/admin/xml/*"/> > <property name="name" value="Content-Security-Policy"/> > <property name="value" > value="upgrade-insecure-requests; style-src-elem 'self' 'unsafe-inline'; > style-src 'self'; img-src 'self' data:; script-src-elem 'self'; default-src > 'none'; object-src 'none'; frame-ancestors 'none'; base-uri 'none';" /> > </bean> > ... > ``` > > to > > ``` > ... > <bean id="header" > class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule"> > <property name="pattern" value="*"/> > <property name="name" value="Content-Security-Policy"/> > <property name="value" value="style-src-elem 'self'; > style-src 'self'; img-src 'self'; script-src-elem 'self'; default-src > 'none'; object-src 'none'; frame-ancestors 'none'; base-uri 'none';" /> > </bean> > <!-- More relaxed rules to allow browsers to properly > render XML --> > <bean id="header" > class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule"> > <property name="pattern" value="/admin/xml/*"/> > <property name="name" value="Content-Security-Policy"/> > <property name="value" value="style-src-elem 'self' > 'unsafe-inline'; style-src 'self'; img-src 'self' data:; script-src-elem > 'self'; default-src 'none'; object-src 'none'; frame-ancestors 'none'; > base-uri 'none';" /> > </bean> > ... > ``` > > Should solve the problem. Apparently Chrome handles this with no issues, > but I was able to reproduce on Safari. > > Regards, > Sérgio > > > Em qui., 3 de jul. de 2025 às 05:41, William Crowell > <wcrow...@perforce.com.invalid> escreveu: > >> JB, >> >> Thanks for your reply. Is there any documentation on how to set this up? >> This was a bit of a surprise. >> >> >> Regards, >> >> >> William Crowell >> >> >> >> From: Jean-Baptiste Onofré <j...@nanthrax.net> >> Date: Thursday, July 3, 2025 at 7:56 AM >> To: wcrow...@perforce.com.invalid <wcrow...@perforce.com.INVALID> >> Cc: users@activemq.apache.org <users@activemq.apache.org> >> Subject: Re: What changed between ActiveMQ Classic 6.1.6 and 6.1.7 where >> the images do not show up on the web user interface? >> >> Hi >> >> This is due to new "security" enforcement added to the WebConsole. >> >> If you have "custom" images, then you have to update the configuration >> in the jetty.xml to allow this. >> >> Regards >> JB >> >> On Wed, Jul 2, 2025 at 6:37 PM William Crowell >> <wcrow...@perforce.com.invalid> wrote: >>> >>> Good afternoon, >>> >>> What changed between ActiveMQ Classic 6.1.6 and 6.1.7 where the images >> do not show up on the web user interface? >>> >>> 6.1.7 release notes: >>> >> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fsecure%2FReleaseNote.jspa%3FprojectId%3D12311210%26version%3D12355749&data=05%7C02%7CWCrowell%40perforce.com%7C10a8c0381b724f24cafa08ddba28b084%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C638871406123483314%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=%2BTpAn3BdGsrT0%2BNDKpP0voL0%2FZ2Bx662ctstlaSu48g%3D&reserved=0 >> < >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12355749 >>> >>> >>> I have changed jetty.xml (which is the only thing I have changed since >> untarring apache-activemq-6.1.7-bin.tar.gz), so that the broker listens on >> all IP addresses. It appears that the images and .css are not rendering >> correctly on the 8161 port management console, and everything seems to want >> to use https. >>> >>> Was it this change? >> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-9697&data=05%7C02%7CWCrowell%40perforce.com%7C10a8c0381b724f24cafa08ddba28b084%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C638871406123506221%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=2DrHBdxYrSOu5OVgcxamO%2BjLRxxnDt4SDySi5g8M1Tg%3D&reserved=0 >> <https://issues.apache.org/jira/browse/AMQ-9697> >>> >>> How do you fix this? >>> >>> Regards, >>> >>> William Crowell >>> >>> >>> This e-mail may contain information that is privileged or confidential. >> If you are not the intended recipient, please delete the e-mail and any >> attachments and notify us immediately. >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org >> For additional commands, e-mail: users-h...@activemq.apache.org >> For further information, visit: >> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcontact&data=05%7C02%7CWCrowell%40perforce.com%7C10a8c0381b724f24cafa08ddba28b084%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C638871406123519177%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=AT0%2BPz%2F8zxZOwQsz5F5zAlXbXxxVADNGSBcopQXHd3Q%3D&reserved=0 >> <https://activemq.apache.org/contact> >> >> >> >> >> CAUTION: This email originated from outside of the organization. Do not >> click on links or open attachments unless you recognize the sender and know >> the content is safe. >> >> >> This e-mail may contain information that is privileged or confidential. If >> you are not the intended recipient, please delete the e-mail and any >> attachments and notify us immediately. >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org For additional commands, e-mail: users-h...@activemq.apache.org For further information, visit: https://activemq.apache.org/contact
