App Element for Nextcloud (riotchat) - CSP Refused to load the script

:information_source: Support :construction: Installation :bento: Features & apps update_problems

Nextcloud version (eg, 29.0.5): 29.0.1
Operating system and version (eg, Ubuntu 29.04): Debian 11
Apache or nginx version (eg, Apache 2.4.25): Nginx 1.18.0
PHP version (eg, 8.3): 8.3


Hello,

This Tuesday, I upgraded my Nextcloud server from version 25 to 29.0.1.

Besides the errors and bugs reported on GitHub and the forum, I have a major issue with the Riotchat app.

Not only is it slow to display, but I also randomly encounter CSP errors.
Two *.js files are blocked when the page loads.

Is this the first time you’ve seen this error? (Y/N):

Y (since major upgrade)

The output of your Nextcloud log in Admin > Logging:

No log, only on browser console

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

config.php
<?php
$CONFIG = array (
  'instanceid' => 'ID',
  'passwordsalt' => 'PASSWORD',
  'secret' => 'SECRET',
  'session_lifetime' => 86400,
  'session_keepalive' => true,
  'auto_logout' => false,
  'remember_login_cookie_lifetime' => 1296000,
  'trusted_domains' => 
  array (
    0 => 'cloud.DOMAIN.com',
    1 => '10.0.0.*',
  ),
  'trusted_proxies' => 
  array (
    0 => '10.0.0.*',
    1 => '10.0.0.*',
  ),
  'defaultapp' => 'dashboard',
  'datadirectory' => '/data',
  'default_phone_region' => 'Country',
  'skeletondirectory' => '',
  'lost_password_link' => 'disabled',
  'dbtype' => 'pgsql',
  'version' => '29.0.1.1',
  'overwrite.cli.url' => 'https://cloud.DOMAIN.com',
  'overwritehost' => 'cloud.DOMAIN.com',
  'dbname' => 'db',
  'dbhost' => '10.0.0.*',
  'dbport' => '5432',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'user',
  'dbpassword' => 'PASSWORD',
  'installed' => true,
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'tls',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'cloud',
  'mail_domain' => 'DOMAIN.com',
  'mail_smtpauthtype' => 'PLAIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'mail.DOMAIN.com',
  'mail_smtpport' => '587',
  'mail_smtpname' => 'cloud@DOMAIN.com',
  'mail_smtppassword' => 'PASSWORD',
  'maintenance' => false,
  'trashbin_retention_obligation' => 'auto, 30',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'localhost',
    'port' => 6379,
    'filelocking.enabled' => true,
    'timeout' => 0.0,
  ),
  'theme' => '',
  'loglevel' => 1,
  'loglevel_frontend' => 1,
  'maintenance_window_start' => 1,
);
Apps list
Enabled:
  - activity: 2.21.1
  - admin_audit: 1.19.0
  - bruteforcesettings: 2.9.0
  - calendar: 4.7.4
  - checksum: 1.2.4
  - cloud_federation_api: 1.12.0
  - comments: 1.19.0
  - contacts: 6.0.0
  - contactsinteraction: 1.10.0
  - dashboard: 7.9.0
  - dav: 1.30.1
  - deck: 1.13.0
  - drawio: 3.0.2
  - external: 5.4.0
  - federatedfilesharing: 1.19.0
  - federation: 1.19.0
  - files: 2.1.0
  - files_accesscontrol: 1.19.1
  - files_downloadlimit: 2.0.0
  - files_external: 1.21.0
  - files_pdfviewer: 2.10.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - fileslibreofficeedit: 1.1.0
  - flow_notifications: 1.9.0
  - group_everyone: 0.1.15
  - integration_gitlab: 1.0.19
  - keeweb: 0.6.18
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - metadata: 0.20.0
  - nextcloud_announcements: 1.18.0
  - notes: 4.10.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - onlyoffice: 9.2.2
  - password_policy: 1.19.0
  - passwords: 2024.5.20
  - photos: 2.5.0
  - previewgenerator: 5.5.0
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - related_resources: 1.4.0
  - riotchat: 0.17.2
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - side_menu: 3.12.0
  - snappymail: 2.36.3
  - systemtags: 1.19.0
  - tasks: 0.16.0
  - text: 3.10.0
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - twofactor_totp: 11.0.0-dev
  - updatenotification: 1.19.1
  - user_ldap: 1.20.0
  - viewer: 2.3.0
  - workflowengine: 2.11.0
Nginx config
upstream php-handler {
    #server 127.0.0.1:9000;
    server unix:/var/run/php/php8.3-fpm.sock;
}

map $arg_v $asset_immutable {
    "" "";
    default ", immutable";
}

server {
    listen 80;
    server_name cloud.DOMAIN.com;

    server_tokens off;

    return 301 https://$server_name$request_uri;
}

server {
    listen 443      ssl http2;
    server_name cloud.DOMAIN.com;

    root /var/www/nextcloud;

    ssl_certificate /etc/ssl/cloud/cloud.DOMAIN.com.crt;
    ssl_certificate_key /etc/ssl/cloud/cloud.DOMAIN.com.privkey.pem;

    add_header Strict-Transport-Security "max-age=15768000;includeSubDomains;preload" always;

    client_max_body_size 512M;
    client_body_timeout 300s;
    fastcgi_buffers 64 4K;

    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    client_body_buffer_size 512k;

    add_header Referrer-Policy                   "no-referrer"       always;
    add_header X-Content-Type-Options            "nosniff"           always;
    add_header X-Download-Options                "noopen"            always;
    add_header X-Frame-Options                   "SAMEORIGIN"        always;
    add_header X-Permitted-Cross-Domain-Policies "none"              always;
    add_header X-Robots-Tag                      "noindex, nofollow" always;
    add_header X-XSS-Protection                  "1; mode=block"     always;

    fastcgi_hide_header X-Powered-By;

    include mime.types;
    types {
        text/javascript mjs;
	application/wasm wasm;
    }

    index index.php index.html /index.php$request_uri;

    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location ^~ /.well-known {
        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        return 301 /index.php$request_uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

    location ~ \.php(?:$|/) {
        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;

        fastcgi_max_temp_file_size 0;
    }

    location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
        add_header Referrer-Policy                   "no-referrer"       always;
        add_header X-Content-Type-Options            "nosniff"           always;
        add_header X-Frame-Options                   "SAMEORIGIN"        always;
        add_header X-Permitted-Cross-Domain-Policies "none"              always;
        add_header X-Robots-Tag                      "noindex, nofollow" always;
        add_header X-XSS-Protection                  "1; mode=block"     always;
        access_log off;     # Optional: Don't log access to assets
    }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    location /remote {
        return 301 /remote.php$request_uri;
    }
    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }
}

Thank you in advance for your help.