I’m am trying to balance my home server web server security and have Next Cloud function properley. CSP is causing issues in the apache.conf folder.
If I set
Header set Content-Security-Policy: “default-src ‘self’ data: ‘unsafe-inline’ ‘unsafe-eval’ https://my-domain.com;”
Nextcloud works perfectly. However, all my security scans give me warnings due to the eval and inline security flaws. To fix this I can remove these from my CSP config and Nextcloud then stops working.
My questions are:
Is there a set CSP policy I can have to use Nextcloud and not have the risk of inline/eval?
Nextcloud is the only service on the server. Do I need CSP at all in my apache.conf as I dont host any other html?
Ive looked alot on google and there is much on setting CSP and Nextcloud and not together for the semi noob
Nextcloud server and apps require the unsafe-eval entry in the CSP header for now. Devs are already aware of that and trying to remove it:
Because it is not easy to do and requires a lot changes in the code, it takes some time. However it is in the Backlog of the “Security Hardenings” (first column on the left side):
This CSP header entry should not be a serious issue though since @LukasReschke made some changes:
This seems rather hard to accomplish due to our existing JS code base. As a first step I’ve added a hardening to jQuery that makes the unsafe-eval in jQuery a non-issue at least: #3874
As soon as the code base has been adapted the CSP header will be removed by Nextcloud with a feature update. So there is nothing to do for you. Just wait until it’s “enhanced” (not to say fixed)
I was thinking maybe the issue is here in ./lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
* @link https://github.com/owncloud/core/issues/13458
*/
protected $inlineStyleAllowed = null;
/** @var array Domains from which CSS can get loaded */
protected $allowedStyleDomains = null;
/** @var array Domains from which images can get loaded */
protected $allowedImageDomains = null;
/** @var array Domains to which connections can be done */
protected $allowedConnectDomains = null;
/** @var array Domains from which media elements can be loaded */
protected $allowedMediaDomains = null;
/** @var array Domains from which object elements can be loaded */
protected $allowedObjectDomains = null;
/** @var array Domains from which iframes can be loaded */
protected $allowedFrameDomains = null;
/** @var array Domains from which fonts can be loaded */
protected $allowedFontDomains = null;
/** @var array Domains from which web-workers and nested browsing content can load elements */
protected $allowedChildSrcDomains = null;
/** @var array Domains which can embed this Nextcloud instance */
protected $allowedFrameAncestors = null;
/** @var array Domains from which web-workers can be loaded */
protected $allowedWorkerSrcDomains = null;
/** @var array Domains which can be used as target for forms */
protected $allowedFormActionDomains = null;
/** @var array Locations to report violations to */
protected $reportTo = null;
so I hard coded the form action policy to self instead of null.
thanks @vitachaos but my issue was different. I had already set that option and in my case it was trying to redirect to a completely different domain outside Nextcloud so I had to patch the file
Old issue (I’m now on NC 26), but I got a note that the site does not prevent ClickJacking - I’ve made the following change to ContentSecurityPolicy.php (it was empty):