Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP blocks path from server? #2791

Closed
fauno opened this issue Dec 20, 2016 · 9 comments
Closed

CSP blocks path from server? #2791

fauno opened this issue Dec 20, 2016 · 9 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug needs info

Comments

@fauno
Copy link

fauno commented Dec 20, 2016

Steps to reproduce

  1. Open NC with the devtools open
  2. Message appears on console:
Content Security Policy: The page’s settings blocked the loading of a resource at https://srv/http/HOSTNAMEdata/.ocdata?t=1482267011857 (“connect-src https://HOSTNAME”).
  1. Inspect page source:
var oc_dataURL="/srv/http/HOSTNAMEdata";

Expected behaviour

?

Actual behaviour

There's several things happening:

  • It tries to load a file path as a URL "https://srv/http/HOSTNAMEdata/.ocdata?t=1482267011857"

  • The path is missing a slash between HOSTNAME and data "/srv/http/HOSTNAME/data" should be "/srv/http/HOSTNAME/data"

  • I don't think I have anything on my config that points to this path, in fact the path is missing a directory between HOSTNAME and data

  • Why is it printing the working dir to the public anyway?

Server configuration

Operating system: Debian Jessie

Web server: Nginx

Database: MariaDB

PHP version: 5.6.27

Nextcloud version: 11.0.0

Updated from an older Nextcloud/ownCloud or fresh install: updated from 10.0.1

Where did you install Nextcloud from: downloaded tarball

Signing status:

Signing status 
Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- gallery
	- EXTRA_FILE
		- l10n/ro.php
		- l10n/ast.php

Raw output
==========
Array
(
    [gallery] => Array
        (
            [EXTRA_FILE] => Array
                (
                    [l10n/ro.php] => Array
                        (
                            [expected] => 
                            [current] => 8dd6a2a96005253992937e69f5d354c12dd30ad73a87aacca873e88853df757d344cfc29da0b4de013366e35bb79242623bf4546f5f65a6e4d3637e4ddd0ff02
                        )

                    [l10n/ast.php] => Array
                        (
                            [expected] => 
                            [current] => c7d0b80a8c56f8873136aa8a525dfe5c146b629916fd4d6b3401265fddb1eb3191e95e1ce31f7042e781e20c23907ccdcbf3b5e502f9070064fbc0f5c60a9283
                        )

                )

        )

)

List of activated apps:

App list 
Enabled:
  - activity: 2.4.1
  - calendar: 1.4.1
  - comments: 1.1.0
  - contacts: 1.5.2
  - dav: 1.1.1
  - federatedfilesharing: 1.1.1
  - federation: 1.1.1
  - files: 1.6.1
  - files_pdfviewer: 1.0.1
  - files_sharing: 1.1.1
  - files_texteditor: 2.2
  - files_trashbin: 1.1.0
  - files_versions: 1.4.0
  - files_videoplayer: 1.0.0
  - firstrunwizard: 2.0
  - gallery: 16.0.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - nextcloud_announcements: 1.0
  - notifications: 1.0.1
  - password_policy: 1.1.0
  - provisioning_api: 1.1.0
  - serverinfo: 1.1.1
  - sharebymail: 1.0.1
  - survey_client: 0.1.5
  - systemtags: 1.1.3
  - tasks: 0.9.4
  - theming: 1.1.1
  - twofactor_backupcodes: 1.0.0
  - updatenotification: 1.1.1
  - user_external: 0.4
  - workflowengine: 1.1.1
Disabled:
  - admin_audit
  - encryption
  - external
  - files_accesscontrol
  - files_automatedtagging
  - files_external
  - files_retention
  - templateeditor
  - user_ldap
  - user_saml

The content of config/config.php:

Config report 
{
    "system": {
        "asset-pipeline.enabled": true,
        "default_language": "en",
        "mail_from_address": "HOSTNAME",
        "mail_smtpmode": "php",
        "mail_domain": "HOSTNAME",
        "user_backends": [
            {
                "class": "OC_User_IMAP",
                "arguments": [
                    "{HOSTNAME:993\/imap\/ssl\/novalidate-cert}"
                ]
            }
        ],
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "\/srv\/http\/HOSTNAME\/pub\/data",
        "overwrite.cli.url": "https:\/\/HOSTNAME",
        "dbtype": "mysql",
        "version": "11.0.0.10",
        "dbname": "HOSTNAME",
        "dbhost": "127.0.0.1",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "instanceid": "ocd6tg26vyo4",
        "defaultapp": "calendar",
        "theme": "HOSTNAME",
        "loglevel": 0,
        "maintenance": false,
        "debug": false,
        "memcache.local": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "127.0.0.1",
            "port": 6379
        },
        "trusted_domains": [
            "HOSTNAME",
        ]
    },
    "apps": {
        "activity": {
            "enabled": "yes",
            "installed_version": "2.4.1",
            "types": "filesystem"
        },
        "announce": {
            "installed_version": "1.2.0",
            "ocsid": "173921"
        },
        "announcementcenter": {
            "enabled": "no",
            "types": ""
        },
        "backgroundjob": {
            "lastjob": "2"
        },
        "bookmarks": {
            "enabled": "no",
            "installed_version": "0.8",
            "ocsid": "168710",
            "types": ""
        },
        "calendar": {
            "enabled": "yes",
            "installed_version": "1.4.1",
            "ocsid": "168707",
            "signed": "true",
            "types": ""
        },
        "comments": {
            "enabled": "yes",
            "installed_version": "1.1.0",
            "types": "logging"
        },
        "contacts": {
            "enabled": "yes",
            "installed_version": "1.5.2",
            "ocsid": "168708",
            "types": ""
        },
        "conversations": {
            "conf": "a:1:{s:5:\"rooms\";a:1:{s:11:\"group:admin\";a:1:{s:5:\"wtime\";i:1462390573;}}}",
            "enabled": "no",
            "installed_version": "0.2.2",
            "types": ""
        },
        "core": {
            "backgroundjobs_mode": "cron",
            "installedat": "1446060718.4914",
            "lastcron": "1482267610",
            "lastupdateResult": "[]",
            "lastupdatedat": "1482266777",
            "moveavatarsdone": "yes",
            "oc.integritycheck.checker": "{\"gallery\":{\"EXTRA_FILE\":{\"l10n\\\/ro.php\":{\"expected\":\"\",\"current\":\"8dd6a2a96005253992937e69f5d354c12dd30ad73a87aacca873e88853df757d344cfc2
9da0b4de013366e35bb79242623bf4546f5f65a6e4d3637e4ddd0ff02\"},\"l10n\\\/ast.php\":{\"expected\":\"\",\"current\":\"c7d0b80a8c56f8873136aa8a525dfe5c146b629916fd4d6b3401265fddb1eb3191e95e1ce31f7042e
781e20c23907ccdcbf3b5e502f9070064fbc0f5c60a9283\"}}}}",
            "previewsCleanedUp": "1",
            "public_caldav": "calendar\/share.php",
            "public_calendar": "calendar\/share.php",
            "public_documents": "documents\/public.php",
            "public_files": "files_sharing\/public.php",
            "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php",
            "remote_caldav": "dav\/appinfo\/v1\/caldav.php",
            "remote_calendar": "dav\/appinfo\/v1\/caldav.php",
            "remote_carddav": "dav\/appinfo\/v1\/carddav.php",
            "remote_contacts": "dav\/appinfo\/v1\/carddav.php",
            "remote_dav": "dav\/appinfo\/v2\/remote.php",
            "remote_files": "dav\/appinfo\/v1\/webdav.php",
            "remote_webdav": "dav\/appinfo\/v1\/webdav.php",
            "repairlegacystoragesdone": "yes",
            "shareapi_enforce_links_password": "no",
            "umgmt_show_storage_location": "true",
            "vendor": "nextcloud"
        },
        "dav": {
            "enabled": "yes",
            "installed_version": "1.1.1",
            "types": "filesystem"
        },
        "documents": {
            "enabled": "no",
            "installed_version": "0.13.1",
            "ocsid": "168711",
            "types": ""
        },
        "federatedfilesharing": {
            "enabled": "yes",
            "installed_version": "1.1.1",
            "types": ""
        },
        "federation": {
            "enabled": "yes",
            "installed_version": "1.1.1",
            "types": "authentication"
        },
        "files": {
            "cronjob_scan_files": "500",
            "default_quota": "200 MB",
            "enabled": "yes",
            "installed_version": "1.6.1",
            "types": "filesystem"
        },
        "files_pdfviewer": {
            "enabled": "yes",
            "installed_version": "1.0.1",
            "ocsid": "166049",
            "types": ""
        },
        "files_sharing": {
            "enabled": "yes",
            "installed_version": "1.1.1",
            "types": "filesystem"
        },
        "files_texteditor": {
            "enabled": "yes",
            "installed_version": "2.2",
            "ocsid": "166051",
            "types": ""
        },
        "files_trashbin": {
            "enabled": "yes",
            "installed_version": "1.1.0",
            "types": "filesystem"
        },
        "files_versions": {
            "enabled": "yes",
            "installed_version": "1.4.0",
            "types": "filesystem"
        },
        "files_videoplayer": {
            "enabled": "yes",
            "installed_version": "1.0.0",
            "types": ""
        },
        "firstrunwizard": {
            "enabled": "yes",
            "installed_version": "2.0",
            "types": "logging"
        },
        "gallery": {
            "enabled": "yes",
            "installed_version": "16.0.0",
            "types": ""
        },
        "gallery-master": {
            "enabled": "no",
            "installed_version": "15.0.0"
        },
        "logreader": {
            "enabled": "yes",
            "installed_version": "2.0.0",
            "ocsid": "170871",
            "types": ""
        },
        "lookup_server_connector": {
            "enabled": "yes",
            "installed_version": "1.0.0",
            "types": "authentication"
        },
        "mail": {
            "enabled": "no",
            "installed_version": "0.5.2",
            "installed_version": "0.5.2",
            "ocsid": "169914",
            "signed": "true",
            "types": ""
        },
        "nextcloud_announcements": {
            "enabled": "yes",
            "installed_version": "1.0",
            "pub_date": "Sat, 10 Dec 2016 00:00:00 +0100",
            "types": "logging"
        },
        "notifications": {
            "enabled": "yes",
            "installed_version": "1.0.1",
            "types": "logging"
        },
        "ownpad": {
            "enabled": "yes",
            "installed_version": "0.5.7",
            "ocsid": "174679",
            "ownpad_ethercalc_enable": "no",
            "ownpad_etherpad_enable": "yes",
            "ownpad_etherpad_host": "https:\/\/HOSTNAME",
            "types": ""
        },
        "password_policy": {
            "enabled": "yes",
            "installed_version": "1.1.0",
            "types": ""
        },
        "provisioning_api": {
            "enabled": "yes",
            "installed_version": "1.1.0",
            "types": "prevent_group_restriction"
        },
        "serverinfo": {
            "enabled": "yes",
            "installed_version": "1.1.1",
            "types": ""
        },
        "sharebymail": {
            "enabled": "yes",
            "installed_version": "1.0.1",
            "types": "filesystem"
        },
        "survey_client": {
            "enabled": "yes",
            "installed_version": "0.1.5",
            "types": ""        },
        "systemtags": {
            "enabled": "yes",
            "installed_version": "1.1.3",
            "types": "logging"
        },
        "tasks": {
            "enabled": "yes",
            "installed_version": "0.9.4",
            "ocsid": "164356",
            "types": ""
        },
        "theming": {
            "enabled": "yes",
            "installed_version": "1.1.1",
            "types": "logging"
        },
        "twofactor_backupcodes": {
            "enabled": "yes",
            "installed_version": "1.0.0",
            "types": ""
        },
        "updatenotification": {
            "calendar": "1.4.1",
            "contacts": "1.5.1",
            "core": "9.1.2.2",
            "documents": "0.13.1",
            "enabled": "yes",
            "installed_version": "1.1.1",
            "ownpad": "0.5.6",
            "tasks": "0.9.4",
            "types": ""
        },
        "user_external": {
            "enabled": "yes",
            "installed_version": "0.4",
            "ocsid": "166060",
            "types": "authentication,prelogin"
        },
        "workflowengine": {
            "enabled": "yes",
            "installed_version": "1.1.1",
            "types": "filesystem"
        }
    }
}

Are you using external storage, if yes which one: none

Are you using encryption: no

Are you using an external user-backend, if yes which one: IMAP

Client configuration

Browser: Iceweasel 50.0.2

Operating system: Parabola GNU/Linux (Arch-like)
@MorrisJobke
Copy link
Member

cc @LukasReschke

@LukasReschke
Copy link
Member

CSP is doing the right thing here. The bug seems to be that there actually the data directory is printed wrongly. Let me think about that.

@LukasReschke LukasReschke self-assigned this Dec 21, 2016
@agowa
Copy link

agowa commented Jan 25, 2017

This also happens if you have specified the URLs "www.example.com" and "example.com" in your configuration. Nextcloud is sometimes trying to access the domain with ID 0, so CSP is blocking it.

@tohn
Copy link

tohn commented Jun 21, 2017

I also have this problem if I use more than one domain. The second and third domains don't load the background and logo (in Browser: nextcloud.example.info):

Refused to load the image 'https://nextcloud.example.org/index.php/apps/theming/loginbackground?v=19' because it violates the following Content Security Policy directive: "img-src 'self' data: blob:".

Refused to load the image 'https://nextcloud.example.org/core/img/logo.svg?v=19' because it violates the following Content Security Policy directive: "img-src 'self' data: blob:".

@agowa
Copy link

agowa commented Jul 2, 2017
edited
Loading

Workaround:
Effectively this is doing:

  • Rewrite the URL to always start with www
  • Define a own Content-Security-Policy
  • Strip the Content-Security-Policy of nextcloud
  • Also all other Headers are stripped from nextcloud
  • Define X-Content-Type-Options, X-frame-Options, Referrer-Policy and X-XSS-Protection for the complete virtualhost (in case nextcloud is not the only thing on this server).

Put the following into your apache virtualhost configuration:

RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}$1 [R=301,L]
Header always set Strict-Transport-Security "max-age=15768000;includeSubdomains;preload"
Header always set Content-Security-Policy "default-src 'self';frame-ancestors 'self';style-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';img-src 'self' data:;font-src 'self' data:"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "sameorigin"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-XSS-Protection "1; mode=block"
<Directory />
    #Options FollowSymLinks
    #AllowOverride All
    Header unset "X-Content-Type-Options"
    Header unset "X-Frame-Options"
    Header unset "X-XSS-Protection"
    Header unset "Public-Key-Pins"
    Header unset "Content-Security-Policy"
    Header unset "Strict-Transport-Security"
    Header unset "Referrer-Policy"
</Directory>

also adding this wouldn't be such a bad idea:

<Location /nextcloud/ocs/v2.php/apps/serverinfo/api/v1/info>
    Require all denied
</Location>

@xupefei xupefei mentioned this issue Dec 14, 2017
Open
@Ludovicis Ludovicis mentioned this issue Dec 14, 2017
Closed
@nextcloud-bot nextcloud-bot added the stale Ticket or PR with no recent activity label Jun 20, 2018
@nextcloud-bot nextcloud-bot mentioned this issue Nov 29, 2018
Closed
@hukoeth
Copy link

hukoeth commented Nov 29, 2018
edited
Loading

Reading about all the issues around CSP (and a few other header warnings for that matter), would it not make sense to have this behaviour configurable? While it is great that Nextcloud actually cares about this, I'm sure that there are a lot people out there (like me) who use security headers across the board and using apache to serve more than just Nextcloud. Maybe a setting in config.php to disable header setting in Nextcloud?

@nextcloud-bot nextcloud-bot removed the stale Ticket or PR with no recent activity label Nov 29, 2018
@skjnldsv skjnldsv added the 0. Needs triage Pending check for reproducibility or if it fits our roadmap label Jun 12, 2019
@skjnldsv skjnldsv added 1. to develop Accepted and waiting to be taken care of and removed 0. Needs triage Pending check for reproducibility or if it fits our roadmap labels Aug 20, 2020
@skjnldsv
Copy link
Member

cc @rullzer @MorrisJobke

@szaimen
Copy link
Contributor

szaimen commented Nov 26, 2022

Hi, please update to at least 23.0.12 and report back if it fixes the issue. Thank you!

@szaimen szaimen added needs info 0. Needs triage Pending check for reproducibility or if it fits our roadmap and removed 1. to develop Accepted and waiting to be taken care of labels Nov 26, 2022
@agowa
Copy link

agowa commented Dec 14, 2022

any status update?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug needs info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@MorrisJobke @hukoeth @tohn @fauno @LukasReschke @agowa @skjnldsv @nextcloud-bot @szaimen