Content Security Policy blocking script

socialistpizza · March 24, 2025, 7:31pm

I’m trying to integrate the Stripe API into my nextcloud custom app. But the content security policy is blocking the script.

There are errors in the console:

Within my nextcloud files I found a file for configuring the CSP but haven’t figured out what values in there I need to change to resolve the errors.

/lib/public/AppFramework/Http/ContentSecurityPolicy.php

Any help here would be much appreciated! I’m new to nextcloud and still learning how to develop apps. Thank you!

wwe · March 24, 2025, 8:36pm

Hello @socialistpizza, welcome to the Nextcloud community!
please use search many topics where discussed already e.g. CSP "Content Security Policy" missing in Nextcloud manual

socialistpizza · March 24, 2025, 9:53pm

I have used the search and haven’t been able to find a solution to my issue.

christianlupus · March 24, 2025, 10:23pm

Hello.

The mentioned files must not be altered. They are part of the server core and are fine as they are.

You are writing an app that needs a looser csp setting than normal (pure NC) apps need. So, read the documentation. There is an example on allowing all domains. I would highly suggest to whitelist individual domains to minimize the security impact.

Chris

smarinier · March 25, 2025, 7:49am

Hi,

Did you check your web server doesn’t have CSP policies itself (.htaccess, .conf…). You can check by accessing through a page that isn’t generated by Nextcloud (eg test.php).

I’ve fixed a CSP policy recently : see [Bug]: Content Security Policy (CSP) Error for preview-service-worker.js · Issue #39849 · nextcloud/server · GitHub

You can watch the fix from this PR: fix: #138 Missing worker policy when launching assistant by smarinier · Pull Request #139 · nextcloud/assistant · GitHub

Yours,

Mohammed_Aladwani · January 18, 2026, 6:40pm

To resolve this issue

Edit nextcloud/apps/files_sharing/lib/DefaultPublicShareTemplateProvider.php

Before:

		// CSP to allow office
		$csp = new ContentSecurityPolicy();
		$csp->addAllowedFrameDomain('\'self\'');

		$response = new PublicTemplateResponse(
			'files',
			'index',
		);
		$response->setContentSecurityPolicy($csp);

After:

		// CSP to allow office
		$csp = new ContentSecurityPolicy();
		$csp->addAllowedFrameDomain('\'self\'');

		$response = new PublicTemplateResponse(
			'files',
			'index',
		);
		$csp = $response->getContentSecurityPolicy();
		$csp->addAllowedWorkerSrcDomain('\'self\'');

		$response->setContentSecurityPolicy($csp);

Best,

christianlupus · January 19, 2026, 10:00am

I would say there are parts obsolete in your solution:

The first two lines of creating a ContentSecurityPolicy objectis obsolete.

Mohammed_Aladwani:

		$csp = new ContentSecurityPolicy();
		$csp->addAllowedFrameDomain('\'self\'');
		// Explanation: next,  $csp get reset to a new value.
		// $csp = $response->getContentSecurityPolicy();

This sounds like the actual solution:

The last step is obsolete again:

This is due to the fact that you take the CSP object from the response (which will be initialized eventually as a by-product) and get that as a reference from the response object. By changing the CSP object (addAllowedWorkerSrcDomain), this is affecting the response already.

I am although not sure if this is acually solving the original poster’s question, as there was an issue about script-src-elem while this modifies the worker domain. A bit more digging might be needed there. This comment above was just about the pure PHP part.

Chris