Unable to parse header from Nginx

[DamirRT]

Actual behaviour

• After typing the Server Adress for login i got the Error-Msg: "Unbekannter Fehler: Unable to parse header: vibrate 'self'; fullscreen 'self'; payment 'none'; usb 'none'"

Expected behaviour

• Login should happen

Steps to reproduce

1. Start App
2. Hit "Anmelden"
3. Type your Serveradress -> Error-Msg

Environment data

Android version: 9

Device model: Oneplus 6

Stock or customized system: Stock

Nextcloud app version: 3.5.1

Nextcloud server version: 15.0.5

Screenshot

Web server (Nginx) header configuration with some hardenings

add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer" always;
add_header Feature-Policy "accelerometer 'none'; autoplay 'self'; geolocation 'none'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self' https://         .eu; microphone 'self'; camera 'self'; magnetometer 'none'; gyroscope 'none'; speaker 'self'; vibrate 'self'; fullscreen 'self'; payment 'none'; usb 'none'";

**NOTE:** Be super sure to remove sensitive data like passwords, note that everybody can look here! You can use the Issue Template application to prefill some of the required information: https://apps.nextcloud.com/apps/issuetemplate

[nextcloud-android-bot]

GitMate.io thinks possibly related issues are #569 (Unable to refresh), #2438 (Unable to Browse Phone Storage), #1842 (Unable to Upload file... ), #347 (Unable to download files), and #256 (Unable to move multiple files).

[tobiasKaminsky]

To be honest, I never saw these feature-policy…
Can you test if this is correctly configured, e.g. on https://securityheaders.com/

If so, can you create us a test account, test if the problem occurs also there and if so send the credentials to tobias at nextcloud dot com with a reference to this issue?

[DamirRT]

@tobiasKaminsky email sent

[WebSpider]

Looking at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy this header is experimental and in the process of being incorporated into browsers.

[tobiasKaminsky]

Our library refuses to work as it excepts all header to be in "key : value".
For your headers the colon is missing.
Is it possible/allowed to add them? e.g. vibrate: 'self'?

Edit: wrong idea.
The header looks like this
Feature-Policy: vibrate 'none'; geolocation 'none'

[tobiasKaminsky]

Somehow the header seems to be corrupt:
I do get this in two lines:
Feature-Policy: accelerometer 'none'; autoplay 'self'; geolocation 'none'; midi 'none'; notifications 'self'; push 'self';

sync-xhr 'self' https://url; microphone 'self'; camera 'self'; magnetometer 'none'; gyroscope 'none'; speaker 'self';

But it should be only one…

Also with curl I cannot connect:

• http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [feature-policy], value: [accelerometer 'none'; autoplay 'self'; geolocation 'none'; midi 'none'; notifications 'self'; push 'self';
  sync-xhr 'self' https://domain; microphone 'self'; camera 'self'; magnetometer 'none'; gyroscope 'none'; speaker 'self';

Do you have a line break after push 'self'?

[DamirRT]

@tobiasKaminsky yes you are right, checked my header.config and there was two linebreaks, fixed now.
I tested this with https://securityheaders.com/ and with the mobile app / desktop as well. All functional and working. :-)
Thx for your help && time. This Issue can be closed.

[tobiasKaminsky]

Glad that we figured the error.
I would have expected that securityheaders.com give an error about this, like cURL is doing…