Collabora and Nextcloud 25

Nextcloud version (eg, 20.0.5): 25.0.1
Operating system and version (eg, Ubuntu 20.04): 22.04
Apache or nginx version (eg, Apache 2.4.25): nginx
PHP version (eg, 7.4): 8.1

The issue you are facing:

Running collabora on edit.domain.com and Nextcloud on docs.domain.com, I cannot edit documents. The request never reaches Collabora. I have tried adding just about every CSP header I can think of, but the request still seems to be blocked.

Right before the CSP blocking information in the console, I see an exception like this

core-common.js

Uncaught 
Exception { name: "", message: "", result: 2153381986, filename: "https://docs.domain.com/dist/core-common.js?v=29357e0c-3", lineNumber: 2, columnNumber: 0, data: null, stack: "trigger@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9713512\ntrigger/<@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9713798\neach@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9644267\neach@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9642747\ntrigger@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9713773\n49226/</i</</j</<@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9357821\ns/t[n]@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9348837\nshowEditor@https://docs.domain.com/apps/richdocuments/js/richdocuments-document.js?v=29357e0c-3:2:185541\nshowEditor/<@https://docs.domain.com/apps/richdocuments/js/richdocuments-document.js?v=29357e0c-3:2:179934\nsetTimeout handler*showEditor@https://docs.domain.com/apps/richdocuments/js/richdocuments-document.js?v=29357e0c-3:2:179915\nloadDocument@https://docs.domain.com/apps/richdocuments/js/richdocuments-document.js?v=29357e0c-3:2:187766\ninitSession/<@https://docs.domain.com/apps/richdocuments/js/richdocuments-document.js?v=29357e0c-3:2:187693\nl@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9669908\nadd@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9670188\ninitSession@https://docs.domain.com/apps/richdocuments/js/richdocuments-document.js?v=29357e0c-3:2:187673\n@https://docs.domain.com/apps/richdocuments/js/richdocuments-document.js?v=29357e0c-3:2:188821\nc@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9671626\no/</u<@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9671928\nsetTimeout handler*o/<@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9672137\nl@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9669908\nfireWith@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9670656\nfire@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9670692\nl@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9669908\nfireWith@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9670656\nready@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9673642\nsetTimeout handler*19755/<@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9673768\n19755/<@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9641377\n19755@https://docs.domain.com/dist/core-common.js?v=29357e0c-3:2:9641490\na@https://docs.domain.com/dist/core-main.js?v=29357e0c-3:2:146713\n54385@https://docs.domain.com/dist/core-main.js?v=29357e0c-3:2:1348\na@https://docs.domain.com/dist/core-main.js?v=29357e0c-3:2:146713\nr<@https://docs.domain.com/dist/core-main.js?v=29357e0c-3:2:148432\na.O@https://docs.domain.com/dist/core-main.js?v=29357e0c-3:2:147115\n@https://docs.domain.com/dist/core-main.js?v=29357e0c-3:2:148448\n@https://docs.domain.com/dist/core-main.js?v=29357e0c-3:2:148453\n" }

The actual CSP error in the console, right after this one is:

Content Security Policy: The page’s settings blocked the loading of a resource at https://edit.domain.com/browser/0b42b3e/cool.html?WOPISrc=https%3A%2F%2Fdocs.domain.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F454_oceyj87157zl&title=test.docx&lang=en&closebutton=1&revisionhistory=1 (“form-action”).

Is this the first time you’ve seen this error? (Y/N): N

Steps to replicate it:

Simply try to edit (or create) an “office” document.

The output of your Nextcloud log in Admin > Logging:

There's no related information

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'redacted',
  'passwordsalt' => 'redacted',
  'secret' => 'redacted',
  'trusted_domains' => 
  array (
    0 => 'docs.domain.com',
    1 => 'edit.domain.com',
  ),
  'allow_local_remote_servers' => true,
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '25.0.1.1',
  'overwrite.cli.url' => 'https://docs.domain.com',
  'overwritehost' => 'docs.domain.com',
  'overwriteprotocol' => 'https',
  'dbname' => 'redacted',
  'dbhost' => '127.0.0.1',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'redacted',
  'dbpassword' => 'redacted',
  'installed' => true,
  'default_language' => 'en',
  'logtimezone' => 'UTC',
  'default_phone_region' => 'SE',
  'skeletondirectory' => '',
  'logo_url' => 'https://docs.domain.com',
  'defaultapp' => 'files,dashboard',
  'enable_previews' => true,
  'enabledPreviewProviders' => 
  array (
    0 => 'OC\\Preview\\PNG',
    1 => 'OC\\Preview\\JPEG',
    2 => 'OC\\Preview\\GIF',
    3 => 'OC\\Preview\\BMP',
    4 => 'OC\\Preview\\XBitmap',
    5 => 'OC\\Preview\\Movie',
    6 => 'OC\\Preview\\PDF',
    7 => 'OC\\Preview\\MP3',
    8 => 'OC\\Preview\\TXT',
    9 => 'OC\\Preview\\MarkDown',
  ),
  'preview_max_x' => 1024,
  'preview_max_y' => 768,
  'preview_max_scale_factor' => 1,
  'activity_expire_days' => 14,
  'auth.bruteforce.protection.enabled' => true,
  'blacklisted_files' => 
  array (
    0 => '.htaccess',
    1 => 'Thumbs.db',
    2 => 'thumbs.db',
  ),
  'redis' => 
  array (
    'host' => 'localhost',
    'port' => 6379,
    'timeout' => 0.0,
    'read_timeout' => 0.0,
    'user' => '',
    'password' => '',
    'dbindex' => 0,
  ),
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'mail_from_address' => 'notice',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'docs.domain.com',
  'mail_smtphost' => 'localhost',
  'logfile' => '/var/www/_logs/nextcloud.log',
  'trashbin_retention_obligation' => 'auto, 30',
  'maintenance' => false,
);

The output of your Apache/nginx/system log in /var/log/____:

There's no relevant output

The Nginx header configuration (Nextcloud server) looks like this:

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;                                    
add_header Referrer-Policy "no-referrer" always;                                                                                
add_header X-Content-Type-Options "nosniff" always;                                                                             
add_header X-Download-Options "noopen" always;                                                                                  
add_header X-Permitted-Cross-Domain-Policies "none" always;                                                                     
add_header X-Robots-Tag "none" always;                                                                                          
add_header X-XSS-Protection "1; mode=block" always;                                                                             
add_header Content-Security-Policy "form-action docs.domain.com edit.domain.com 'self';frame-ancestors docs.domain.com edit.domain.com 'self';";

I’m sure I did something wrong, but I can’t figure out what.

I’ve changed the Content-Security-Policy, to no avail, and now I’m beginning to think that Nextcloud is outputting its own (?). Using Chromium to inspect the console gave a somewhat more interesting message:

Refused to send form data to 'https://edit.domain.com/browser/0b42b3e/cool.html?WOPISrc=https%3A%2F%2Fdocs.domain.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F454_oceyj87157zl&title=test.docx&lang=en&closebutton=1&revisionhistory=1' because it violates the following Content Security Policy directive: "form-action 'self' https://docs.domain.com:443".

core-common.js?v=29357e0c-3:2 Refused to frame 'https://edit.domain.com/' because it violates the following Content Security Policy directive: "frame-src 'self' nc: https://docs.domain.com:443".

But that’s not what I’ve configured in Nginx. So it seems Nextcloud has its own policy? Where is that controlled and/or changed?

1 Like

OK. So, it seems like Nextcloud is actually setting CSP headers by itself.

I was using Nginx mainline from Nginx, instead of the Ubuntu version. I have now removed it and am using the Ubuntu version, which includes the “more headers” module. I have then added these headers using the “more_set_headers” directive, which will override the CSP, regardless of Nextcloud’s attempts at “replacing” what I had set initially in Nginx.

I’m not sure if this is documented somewhere in Nextcloud, but regardless, it should be possible to control this from the Nextcloud configuration. Either by disabling this “feature” in Nextcloud, or by allowing the editing for what sources go into the CSP. This becomes particularly important when you use integrations and “cross talk” between apps/platforms.

I think this is an issue that needs to be adressed.

1 Like