Allow app to send form data

oledr · January 16, 2020, 12:10pm

Hello. I’m making an app which uses a third party service through iframe and API.

For this purpose I’ve had problems with content-security-policy. Previously I’ve been able to get through all this by adding this to my app:

$policy = new ContentSecurityPolicy();
$policy->allowInlineScript(true);
$policy->addAllowedScriptDomain('*');
$policy->addAllowedChildSrcDomain('*');
$policy->addAllowedFrameDomain('*');
$response->setContentSecurityPolicy($policy);

However I still have one error in my way:

Refused to send form data to 'domain.we.are.trying.to.send.form.data.to' because it violates the following Content Security Policy directive: "form-action 'self'".

What is the correct to let an nextcloud app send form data to another domain?

juliushaertl · January 24, 2020, 2:13pm

You need to set addAllowedFormActionDomainto allow that.

As a side note, since you seem to allow all domains in those CSP rules, maybe you can limit those to just the domains that are really required, as allowing any domain with * basically disables any security provided by the CSP rules.

oledr · January 27, 2020, 10:26am

This seems to be working! Thank you!

Appreciate the tip. I was thinking it was going to be neccecary to limit it, but its good to know for sure what the consequences would have been if I didn’t do that.