Really sorry if this is indeed an undue report, but I just installed Passwords on my Nextcloud instance and can’t access the web interface through neither:
- Chrome 76.0.3809.100
- Firefox 60.8.0esr (64 bits)
- Brave 0.67.124
all claiming to be up to date, but I have this ginormous out-of-date browser warning instead of the Passwords interface.
The Android app by Daper, from F-droid, can connect just fine, so it does not seem to be a server conf issue.
My Nextcloud info:
- Raspbian Buster + Apache
- PHP 7.3.4-2
- Nextcloud 16.0.3
Have I missed something?
Thanks anyway for any help
Those browsers should be enough to use the app. Can you open the developer console (press F12) and check for any errors besides “
Browser does not support ECMAScript 2017 / ES2017”?
Hello, thanks for the fast answer! I surprisingly didn’t have the idea to look at the console
actually, there is a bunch of errors, all linked to my server’s Content Security Policy:
Refused to connect to [edited out] because it violates the following Content Security Policy directive: "connect-src 'self'".
Another one says:
FWIW, here is my Content security policy htaccess content:
- default-src ‘self’;
- base-uri ‘none’;
- manifest-src ‘self’;
- script-src ‘self’ ‘unsafe-inline’;
- style-src ‘self’ https://fonts.googleapis.com ‘unsafe-inline’;
- img-src ‘self’ data: blob:;
- font-src ‘self’ https://fonts.gstatic.com data:;
- connect-src ‘self’;
- media-src ‘self’;
- frame-src ‘self’;
- object-src ‘self’
which does not interfere with any of the other Nextcloud apps I use.
I achieved these settings by repeatedly scanning my instance through securityheaders.com, and tweaking the ones blocking Nextcloud from operating.
I guess I have to open them up a bit more for Password to work…
My configuration may seem a bit odd, but I run a Wordpress website in my root webfolder, and nextcloud in a subfolder of it.
Thus, the CSP settings I had put in my root folder htaccess were somehow overriding the correct ones set (at runtime?) by nextcloud, breaking Password in particular.
I had to remove the CSP settings in my rootfolder htaccess, and find a way to still kind of protect (see the ‘unsafe-inline’ problem largely discussed on the web) through a wordpress plugin, in order to have no conflict between the two software.
I may someday try to implement these csp for my wordpress through a php function of my own, but for now, it seems to fullfill my needs, according to my last scans.