-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP blocks path from server? #2791
Comments
CSP is doing the right thing here. The bug seems to be that there actually the data directory is printed wrongly. Let me think about that. |
This also happens if you have specified the URLs "www.example.com" and "example.com" in your configuration. Nextcloud is sometimes trying to access the domain with ID 0, so CSP is blocking it. |
I also have this problem if I use more than one domain. The second and third domains don't load the background and logo (in Browser:
|
Workaround:
Put the following into your apache virtualhost configuration:
also adding this wouldn't be such a bad idea:
|
Reading about all the issues around CSP (and a few other header warnings for that matter), would it not make sense to have this behaviour configurable? While it is great that Nextcloud actually cares about this, I'm sure that there are a lot people out there (like me) who use security headers across the board and using apache to serve more than just Nextcloud. Maybe a setting in config.php to disable header setting in Nextcloud? |
Hi, please update to at least 23.0.12 and report back if it fixes the issue. Thank you! |
any status update? |
Steps to reproduce
Expected behaviour
?
Actual behaviour
There's several things happening:
It tries to load a file path as a URL "https://srv/http/HOSTNAMEdata/.ocdata?t=1482267011857"
The path is missing a slash between HOSTNAME and data "/srv/http/HOSTNAME/data" should be "/srv/http/HOSTNAME/data"
I don't think I have anything on my config that points to this path, in fact the path is missing a directory between HOSTNAME and data
Why is it printing the working dir to the public anyway?
Server configuration
Operating system: Debian Jessie
Web server: Nginx
Database: MariaDB
PHP version: 5.6.27
Nextcloud version: 11.0.0
Updated from an older Nextcloud/ownCloud or fresh install: updated from 10.0.1
Where did you install Nextcloud from: downloaded tarball
Signing status:
Signing status
List of activated apps:
App list
The content of config/config.php:
Config report
Are you using external storage, if yes which one: none
Are you using encryption: no
Are you using an external user-backend, if yes which one: IMAP
Client configuration
Browser: Iceweasel 50.0.2
Operating system: Parabola GNU/Linux (Arch-like)
The text was updated successfully, but these errors were encountered: