Content Security Policy Config

Hello

I’m am trying to balance my home server web server security and have Next Cloud function properley. CSP is causing issues in the apache.conf folder.

If I set
Header set Content-Security-Policy: “default-src ‘self’ data: ‘unsafe-inline’ ‘unsafe-eval’ https://my-domain.com;”

Nextcloud works perfectly. However, all my security scans give me warnings due to the eval and inline security flaws. To fix this I can remove these from my CSP config and Nextcloud then stops working.

My questions are:

  1. Is there a set CSP policy I can have to use Nextcloud and not have the risk of inline/eval?
  2. Nextcloud is the only service on the server. Do I need CSP at all in my apache.conf as I dont host any other html?

Ive looked alot on google and there is much on setting CSP and Nextcloud and not together for the semi noob

Thanks

1 Like

Hi,

Nextcloud server and apps require the unsafe-eval entry in the CSP header for now. Devs are already aware of that and trying to remove it:

Because it is not easy to do and requires a lot changes in the code, it takes some time. However it is in the Backlog of the “Security Hardenings” (first column on the left side):

This CSP header entry should not be a serious issue though since @LukasReschke made some changes:

This seems rather hard to accomplish due to our existing JS code base. As a first step I’ve added a hardening to jQuery that makes the unsafe-eval in jQuery a non-issue at least: #3874

(Source: https://github.com/nextcloud/server/issues/1185#issuecomment-289396788)

As soon as the code base has been adapted the CSP header will be removed by Nextcloud with a feature update. So there is nothing to do for you. Just wait until it’s “enhanced” (not to say fixed) :slight_smile:

But I’m with you; I’m also hoping it is done soon :slight_smile:

FYI this is done for Nextcloud 15. It’ll require some changes in apps, of course…

1 Like

Is it possible to remove ‘unsafe-inline’ now? I’m on Nextcloud 17 and that policy is still being set.

nextcloud # find -xdev -type f -name "*.php" -exec grep --with-filename "unsafe-inline" {} \;

./apps/ojsxc/appinfo/app.php:
$policy->addAllowedStyleDomain('\'unsafe-inline\'');

./apps/deck/vendor/christophwurst/nextcloud/OCP/AppFramework/Http/ContentSecurityPolicy.php:
 * This class allows unsafe-eval of javascript and unsafe-inline of CSS.

./apps/deck/vendor/christophwurst/nextcloud/OCP/AppFramework/Http/EmptyContentSecurityPolicy.php:
$policy .= ' \'unsafe-inline\'';
3 Likes