I can't connect from WebOS Jellyfin

[walmer]

I attempted to connect my self-hosted Jellyfin server on the WebOS client, but after entering my address, I'm stuck on a screen with the Jellyfin background and nothing else(no buttons, text or anything, just the background with the app client colors).

Some informations:

• I'm using DuckDNS as a DNS provider for a local IP.
  
• I'm using Cosmos Server container inside Ubuntu Server, which has Let's Encrypt built-in.
  
• I can connect via browser, Windows client and iOS client.
  
• WebOS version is 1.2.2
  
• jellyfin version is 10.8.13
  

[TheDreadPirate]

Which reverse proxy does that use?

[walmer]

Which reverse proxy does that use?

I'm new to self-hosting, so I'm not very familiar with how the implementation or configuration of a reverse proxy works. When you ask 'Which reverse proxy does that use?', are you asking which application I use to set up the reverse proxy, such as Nginx? In this case, the Cosmos Server has a built-in reverse proxy. I can look into whether it uses any specific application, but I believe it was developed as its own integrated reverse proxy within the Cosmos Server. I've included an image of the configuration related to how the containers communicate internally, i'm not sure if this is related to the reverse proxy:

   

I'm really new to this subject. In this case, would you need any specific information about a reverse proxy configuration on the Cosmos Server?

[TheDreadPirate]

The reason I ask is because in apache and nginx there are optional configs that can break Jellyfin with WebOS, specifically. And I wonder if those options are enabled in whatever reverse proxy this Cosmos stuff is using.

https://jellyfin.org/docs/general/networking/nginx/

Code:

# Content Security Policy
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # Enforces https content and restricts JS/CSS to origin
    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
    # NOTE: The default CSP headers may cause issues with the webOS app
    #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-     inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";

[walmer]

The reason I ask is because in apache and nginx there are optional configs that can break Jellyfin with WebOS, specifically.  And I wonder if those options are enabled in whatever reverse proxy this Cosmos stuff is using.

https://jellyfin.org/docs/general/networking/nginx/

I'll research if these options are enabled. If I manage to find out, I'll let you know what I've found and continue the thread.

[NeutralExcitement]

The reason I ask is because in apache and nginx there are optional configs that can break Jellyfin with WebOS, specifically.  And I wonder if those options are enabled in whatever reverse proxy this Cosmos stuff is using.

https://jellyfin.org/docs/general/networking/nginx/

Code:

    # Content Security Policy
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # Enforces https content and restricts JS/CSS to origin
    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
    # NOTE: The default CSP headers may cause issues with the webOS app
    #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-    inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";

I just ran into error code -27 while trying to connect on an LG webOS TV. This looks promising as a solution. Before I start digging into my nginx config, could you clear up some confusion for me?

I can't tell if the commented out CSP header is intended as a solution, or if it is offered as the default. Looking at the network tab in my browser, it doesn't look like I have any CSP at all presently, so that doesn't help me answer my own question.

If the commented out header is the default, where can I find the changes I should make for webOS?

If the commented out header is the fix, I will try it, but I do have a question. Why should we use unsafe-inline? Doing so without strict-dynamic mostly annuls the point of a CSP. For this case, I don't think I'm too worried, this is all for personal use. No one is going to be sending me links to my own site and Jellyfin doesn't look like it has much surface area for these kinds of attacks. So I'm not really that worried about XSS, but using a CSP just to put unsafe-inline still raises a red flag.

[TheDreadPirate]

We do not control how LG implements their software so the choices are, unfortunately, to reduce security or get an Android TV dongle, Apple TV, Firestick, or Roku instead.

[NeutralExcitement]

That's fair enough. So just to double check, that means the commented out header is what I should apply to allow connection on webOS?

[TheDreadPirate]

Correct.

[Ivan Greguric Ortolan]

We do not control how LG implements their software so the choices are, unfortunately, to reduce security or get an Android TV dongle, Apple TV, Firestick, or Roku instead.

To be honest it has nothing to do with LG, it simple browser security headers. The WebOS Jellyfin app uses iframes apparently to render the webpage and standard security headers recommended in the NGINX page cannot work.

I would assume the WebOS app is broken for everybody because of the probable changes that have been done in the index.html of Jellyfin recently

p.s. NeutralExcitement you can remove "frame-ancestor: 'self'" from the content security policy and it should work although there are still some issues in the CSP. To debug the app you can use ares-cli, it can start the inspector and you see exactly what is going wrong in you browser.