Content Security issues

necl · June 8, 2017, 9:54pm

I’ve installed 12.0.0 and have Content Security Policy issues:

Content Security Policy: The page's settings blocked the loading of a resource at about:blank ("base-uri 'none'").
Content Security Policy: The page's settings blocked the loading of a resource at https://example.com/index.php/apps/files/ ("base-uri 'none'").

I replaced the customers domain by example.com above. It is the same domain, I have written in the address line of the browser (without any subdomain like www or so). It is also https at both places. I know how to allow additional host names in the .htaccess, but I don’t know, why I should have to do that in this case. The base-uri ‘none’ is set by nextcloud via PHP. When I change the header (in \OCP\AppFramework\Http\Response::getHeaders() or in the .htaccess) to

default-src *; script-src *; connect-src *; img-src *; style-src *

I also get Content Security Policy errors.

Can you please help me?

tflidd · June 10, 2017, 9:32pm

In my setup, the base-uri is set to:
base-uri 'self'

Can you check with curl -vvvv https://example.com/ what the header looks like? Do you use a proxy?

necl · June 11, 2017, 2:15pm

How did you set the base-uri value without changing the other values? It’s hardcoded in \OCP\AppFramework\Http\EmptyContentSecurityPolicy. Maybe it’s possible to override that class and write a wrapper around that method, that replaces the base-uri 'none'; How did you change that value?

tflidd · June 13, 2017, 7:22am

I didn’t change anything myself. Perhaps it is changed by .htaccess?