[13beta4] CSP is blocking icons

[enoch85]

Steps to reproduce

1. As per recomendation in the theming app:
   apt-get install \
php-imagick \
libmagickcore-6.q16-2-extra
2. service apache2 restart

Expected behaviour

All icons should be visable

Actual behaviour

Some icons are blocked by CSP. https://i.imgur.com/cyVqqs7.png

Server configuration detail

Operating system: Linux 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64

Webserver: Apache/2.4.18 (Ubuntu) (apache2handler)

Database: pgsql PostgreSQL 9.6.6 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609, 64-bit

PHP version: 7.0.22-0ubuntu0.16.04.1
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, PDO, xml, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, imagick, imap, intl, json, ldap, exif, mcrypt, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, readline, redis, shmop, SimpleXML, smbclient, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, libsmbclient, Zend OPcache

Nextcloud version: 13.0.0 Beta 4 - 13.0.0.9

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status

Array

List of activated apps

Enabled:
 - activity: 2.6.1
 - admin_notifications: 1.0.1
 - bruteforcesettings: 1.0.3
 - calendar: 1.5.7
 - comments: 1.3.0
 - contacts: 2.0.1
 - dav: 1.4.6
 - federatedfilesharing: 1.3.1
 - federation: 1.3.0
 - files: 1.8.0
 - files_downloadactivity: 1.2.0
 - files_pdfviewer: 1.2.0
 - files_sharing: 1.5.0
 - files_texteditor: 2.5.1
 - files_trashbin: 1.3.0
 - files_versions: 1.6.0
 - files_videoplayer: 1.2.0
 - firstrunwizard: 2.2.1
 - gallery: 18.0.0
 - impersonate: 1.0.2
 - issuetemplate: 0.3.0
 - logreader: 2.0.0
 - lookup_server_connector: 1.1.0
 - mail: 0.7.6
 - nextcloud_announcements: 1.2.0
 - notes: 2.3.2
 - notifications: 2.1.2
 - oauth2: 1.1.0
 - ocsms: 1.12.2
 - password_policy: 1.3.0
 - previewgenerator: 1.0.9
 - provisioning_api: 1.3.0
 - qownnotesapi: 17.5.0
 - richdocuments: 1.12.39
 - serverinfo: 1.3.0
 - sharebymail: 1.3.0
 - socialsharing_diaspora: 1.0.2
 - socialsharing_email: 1.0.3
 - socialsharing_facebook: 1.0.2
 - socialsharing_googleplus: 1.0.2
 - socialsharing_twitter: 1.0.2
 - survey_client: 1.1.0
 - systemtags: 1.3.0
 - theming: 1.4.1
 - twofactor_backupcodes: 1.2.3
 - twofactor_totp: 1.4.0
 - updatenotification: 1.3.0
 - workflowengine: 1.3.0
Disabled:
 - admin_audit
 - encryption
 - files_external
 - user_external
 - user_ldap

Configuration (config/config.php)

{
    "updatechecker": false,
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "localhost",
        "192.168.20.11",
        "cloud.techandme.se",
        "office.techandme.se"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "overwrite.cli.url": "https:\/\/cloud.techandme.se\/",
    "dbtype": "pgsql",
    "version": "13.0.0.9",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "logtimezone": "Europe\/Stockholm",
    "installed": true,
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpmode": "smtp",
    "mail_smtpauth": 1,
    "mail_smtpport": "587",
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpauthtype": "LOGIN",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
    "allowZipDownload": true,
    "session_lifetime": 1800,
    "forcessl": true,
    "logfile": "\/var\/log\/nfs-share\/nextcloud.log",
    "loglevel": 2,
    "memcache.local": "\\OC\\Memcache\\Redis",
    "filelocking.enabled": true,
    "memcache.distributed": "\\OC\\Memcache\\Redis",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "***REMOVED SENSITIVE VALUE***",
        "port": 0,
        "timeout": 0,
        "dbindex": 0
    },
    "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
    "forwarded_for_headers": [
        "HTTP_X_FORWARDED",
        "HTTP_FORWARDED_FOR"
    ],
    "maintenance": false,
    "mail_smtpsecure": "tls",
    "htaccess.RewriteBase": "\/",
    "theme": "",
    "updater.release.channel": "stable",
    "trashbin_retention_obligation": "auto, 30",
    "activity_expire_days": 60
}

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

LDAP configuration (delete this part if not used)

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0

Operating system:

Logs

Browser log

Insert your webserver log here 

Nextcloud log

Insert your Nextcloud log here

Error | PHP | Invalid argument supplied for foreach() at /var/www/nextcloud/lib/private/Installer.php#406 | 2018-01-06T16:53:56+0100
-- | -- | -- | --
Error | PHP | Method OC\L10N\L10NString::__toString() must return a string value at /var/www/nextcloud/lib/private/L10N/L10N.php#88 | 2018-01-06T16:53:53+0100
Error | PHP | vsprintf(): Too few arguments at /var/www/nextcloud/lib/private/L10N/L10NString.php#79 | 2018-01-06T16:53:53+0100
Error | index | Doctrine\DBAL\Exception\UniqueConstraintViolationException: An  exception occurred while executing 'INSERT INTO "oc_filecache"  ("mimepart","mimetype","mtime","size","etag","storage_mtime","permissions","parent","checksum","path_hash","path","name","storage")  SELECT ?,?,?,?,?,?,?,?,?,?,?,?,? FROM "oc_filecache" WHERE "storage" = ?  AND "path_hash" = ? HAVING COUNT(*) = 0' with params [1, 2, 1515253960,  -1, "5a50f0c8bb20e", 1515253960, 31, 1357302, "",  "2e60c2cc9130ce58d4f1d36ec967910d", "appdata_oc7aii0tkiol\/theming\/15",  "15", 105, 105, "2e60c2cc9130ce58d4f1d36ec967910d"]:  SQLSTATE[23505]: Unique violation: 7 ERROR:  duplicate key value  violates unique constraint "fs_storage_path_hash" DETAIL:  Key (storage, path_hash)=(105,  2e60c2cc9130ce58d4f1d36ec967910d) already exists. | 2018-01-06T16:52:41+0100
Error | PHP | rmdir(/var/ncdata/appdata_oc7aii0tkiol/theming/11):  No such file or directory at  /var/www/nextcloud/lib/private/Files/Storage/Local.php#116 | 2018-01-06T16:52:41+0100
Error | PHP | unlink(/var/ncdata/appdata_oc7aii0tkiol/theming/11/icon-core-filetypes_text-vcard.svg):  No such file or directory at  /var/www/nextcloud/lib/private/Files/Storage/Local.php#112 | 2018-01-06T16:52:41+0100
Error | PHP | unlink(/var/ncdata/appdata_oc7aii0tkiol/theming/11/icon-core-filetypes_application-pdf.svg):  No such file or directory at  /var/www/nextcloud/lib/private/Files/Storage/Local.php#112 | 2018-01-06T16:52:40+0100
Error | PHP | unlink(/var/ncdata/appdata_oc7aii0tkiol/theming/11/icon-core-filetypes_x-office-spreadsheet.svg):  No such file or directory at  /var/www/nextcloud/lib/private/Files/Storage/Local.php#112 | 2018-01-06T16:52:40+0100

Browser log

Content Security Policy: Directive ‘frame-src’ has been deprecated. Please use directive ‘child-src’ instead.
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'nonce-dlB0S1R0UnUwSDJra2o4SFlwWFZCTVlETlY1Mi9KRi9DNDQ3cDlVYXBVYz06ME1rWUo1a0JoRGJPdVZrL0VkbTlNcWxsY0FvWWh0UVNiTGwza1k5YzNTUT0=' 'unsafe-eval'”). Source: ;!function(){var t=0,e=function(t,e){ret....
theming:1
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'nonce-dlB0S1R0UnUwSDJra2o4SFlwWFZCTVlETlY1Mi9KRi9DNDQ3cDlVYXBVYz06ME1rWUo1a0JoRGJPdVZrL0VkbTlNcWxsY0FvWWh0UVNiTGwza1k5YzNTUT0=' 'unsafe-eval'”). Source: ( function () { try {

(function injectP....
theming:1
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'nonce-dlB0S1R0UnUwSDJra2o4SFlwWFZCTVlETlY1Mi9KRi9DNDQ3cDlVYXBVYz06ME1rWUo1a0JoRGJPdVZrL0VkbTlNcWxsY0FvWWh0UVNiTGwza1k5YzNTUT0=' 'unsafe-eval'”). Source: ( function () { try {

var AG_onLoad=fun....
theming:1
Content Security Policy: The page’s settings blocked the loading of a resource at https://core/img/actions/more-white.svg?v=1 (“img-src https://cloud.techandme.se data: blob:”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://core/img/actions/search-white.svg?v=1 (“img-src https://cloud.techandme.se data: blob:”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://core/img/places/contacts.svg?v=1 (“img-src https://cloud.techandme.se data: blob:”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://core/img/actions/history.svg?v=1 (“img-src https://cloud.techandme.se data: blob:”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://core/img/actions/upload.svg?v=1 (“img-src https://cloud.techandme.se data: blob:”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://core/img/actions/delete.svg?v=1 (“img-src https://cloud.techandme.se data: blob:”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://core/fonts/OpenSans-Regular.woff (“font-src https://cloud.techandme.se”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://core/fonts/OpenSans-Semibold.woff (“font-src https://cloud.techandme.se”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://core/fonts/OpenSans-Light.woff (“font-src https://cloud.techandme.se”).
JQMIGRATE: Migrate is installed, version 1.4.0
core.js:7:542
Source map error: SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data
Resource URL: https://cloud.techandme.se/core/vendor/core.js?v=04d62305-15
Source Map URL: purify.min.js.map

[rullzer]

I can't reproduce this... clean install works out of the box for me.

What is your apache config?

[juliusknorr]

https://core/img/actions/more-white.svg?v=1 looks like #7704, but that should be already fixed with beta4.

[enoch85]

@rullzer

What is your apache config?

Apache

**REMOVED**

[rullzer]

I have tried 3 different setups but can't trigger this. 😕

[juliusknorr]

Maybe that occured after making a theming setting reset to default. That was still causing this issue. Fix is in #7756

[enoch85]

theming setting reset to default.

Yup, might be it. I installed the imagick stuff just to test if the favicon was added automatically (which wasn't the case) and then I reset to default.

So my current solution is to purge php-imagick which brought the icons back.

[MorrisJobke]

@enoch85 Could you check again if #7756 fixed it for you with installed imagick?

[enoch85]

Yup it works! Thanks for the fix @juliushaertl 👍