"Browser Outdated" -yes I have read the FAQ warning

Really sorry if this is indeed an undue report, but I just installed Passwords on my Nextcloud instance and can’t access the web interface through neither:

  • Chrome 76.0.3809.100
  • Firefox 60.8.0esr (64 bits)
  • Brave 0.67.124

all claiming to be up to date, but I have this ginormous out-of-date browser warning instead of the Passwords interface.

The Android app by Daper, from F-droid, can connect just fine, so it does not seem to be a server conf issue.

My Nextcloud info:

  • Raspbian Buster + Apache
  • PHP 7.3.4-2
  • Nextcloud 16.0.3

Have I missed something?
Thanks anyway for any help :slight_smile:

Those browsers should be enough to use the app. Can you open the developer console (press F12) and check for any errors besides “Browser does not support ECMAScript 2017 / ES2017”?

Hello, thanks for the fast answer! I surprisingly didn’t have the idea to look at the console :sweat:
actually, there is a bunch of errors, all linked to my server’s Content Security Policy:

One says:
Refused to connect to [edited out] because it violates the following Content Security Policy directive: "connect-src 'self'".
Another one says:
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".

FWIW, here is my Content security policy htaccess content:

  • default-src ‘self’;
  • base-uri ‘none’;
  • manifest-src ‘self’;
  • script-src ‘self’ ‘unsafe-inline’;
  • style-src ‘self’ https://fonts.googleapis.com ‘unsafe-inline’;
  • img-src ‘self’ data: blob:;
  • font-src ‘self’ https://fonts.gstatic.com data:;
  • connect-src ‘self’;
  • media-src ‘self’;
  • frame-src ‘self’;
  • object-src ‘self’

which does not interfere with any of the other Nextcloud apps I use.
I achieved these settings by repeatedly scanning my instance through securityheaders.com, and tweaking the ones blocking Nextcloud from operating.
I guess I have to open them up a bit more for Password to work…

My configuration may seem a bit odd, but I run a Wordpress website in my root webfolder, and nextcloud in a subfolder of it.

Thus, the CSP settings I had put in my root folder htaccess were somehow overriding the correct ones set (at runtime?) by nextcloud, breaking Password in particular.
I had to remove the CSP settings in my rootfolder htaccess, and find a way to still kind of protect (see the ‘unsafe-inline’ problem largely discussed on the web) through a wordpress plugin, in order to have no conflict between the two software.

I may someday try to implement these csp for my wordpress through a php function of my own, but for now, it seems to fullfill my needs, according to my last scans.

1 Like