Content Security Policy Config

ℹ️ Support
1

Hello

I’m am trying to balance my home server web server security and have Next Cloud function properley. CSP is causing issues in the apache.conf folder.

If I set
Header set Content-Security-Policy: “default-src ‘self’ data: ‘unsafe-inline’ ‘unsafe-eval’ https://my-domain.com;”

Nextcloud works perfectly. However, all my security scans give me warnings due to the eval and inline security flaws. To fix this I can remove these from my CSP config and Nextcloud then stops working.

My questions are:

  1. Is there a set CSP policy I can have to use Nextcloud and not have the risk of inline/eval?
  2. Nextcloud is the only service on the server. Do I need CSP at all in my apache.conf as I dont host any other html?

Ive looked alot on google and there is much on setting CSP and Nextcloud and not together for the semi noob

Thanks

1 Like
2

Hi,

Nextcloud server and apps require the unsafe-eval entry in the CSP header for now. Devs are already aware of that and trying to remove it:

Because it is not easy to do and requires a lot changes in the code, it takes some time. However it is in the Backlog of the “Security Hardenings” (first column on the left side):

This CSP header entry should not be a serious issue though since @LukasReschke made some changes:

This seems rather hard to accomplish due to our existing JS code base. As a first step I’ve added a hardening to jQuery that makes the unsafe-eval in jQuery a non-issue at least: #3874

(Source: Get rid of all unsafe-eval Javascripts · Issue #1185 · nextcloud/server · GitHub)

As soon as the code base has been adapted the CSP header will be removed by Nextcloud with a feature update. So there is nothing to do for you. Just wait until it’s “enhanced” (not to say fixed) :slight_smile:

But I’m with you; I’m also hoping it is done soon :slight_smile:

3

FYI this is done for Nextcloud 15. It’ll require some changes in apps, of course…

1 Like
4

Is it possible to remove ‘unsafe-inline’ now? I’m on Nextcloud 17 and that policy is still being set.

nextcloud # find -xdev -type f -name "*.php" -exec grep --with-filename "unsafe-inline" {} \;

./apps/ojsxc/appinfo/app.php:
$policy->addAllowedStyleDomain('\'unsafe-inline\'');

./apps/deck/vendor/christophwurst/nextcloud/OCP/AppFramework/Http/ContentSecurityPolicy.php:
 * This class allows unsafe-eval of javascript and unsafe-inline of CSS.

./apps/deck/vendor/christophwurst/nextcloud/OCP/AppFramework/Http/EmptyContentSecurityPolicy.php:
$policy .= ' \'unsafe-inline\'';
3 Likes
6

This is still an issue in NC version 24.0.5

is_this_the_problem
is_this_the_problem1317×599 175 KB

I was thinking maybe the issue is here in
./lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php

         * @link https://github.com/owncloud/core/issues/13458
         */
        protected $inlineStyleAllowed = null;
        /** @var array Domains from which CSS can get loaded */
        protected $allowedStyleDomains = null;
        /** @var array Domains from which images can get loaded */
        protected $allowedImageDomains = null;
        /** @var array Domains to which connections can be done */
        protected $allowedConnectDomains = null;
        /** @var array Domains from which media elements can be loaded */
        protected $allowedMediaDomains = null;
        /** @var array Domains from which object elements can be loaded */
        protected $allowedObjectDomains = null;
        /** @var array Domains from which iframes can be loaded */
        protected $allowedFrameDomains = null;
        /** @var array Domains from which fonts can be loaded */
        protected $allowedFontDomains = null;
        /** @var array Domains from which web-workers and nested browsing content can load elements */
        protected $allowedChildSrcDomains = null;
        /** @var array Domains which can embed this Nextcloud instance */
        protected $allowedFrameAncestors = null;
        /** @var array Domains from which web-workers can be loaded */
        protected $allowedWorkerSrcDomains = null;
        /** @var array Domains which can be used as target for forms */
        protected $allowedFormActionDomains = null;

        /** @var array Locations to report violations to */
        protected $reportTo = null;

so I hard coded the form action policy to self instead of null.

$policy .= "form-action 'self';";

and I commented

               /**
               if (!empty($this->allowedFormActionDomains)) {


                        $policy .= 'form-action ' . implode(' ', $this->allowedFormActionDomains);
                        $policy .= ';';

                }
                **/

but this too doesnt seem to work. if anyone can give me pointers I can troubleshoot further, maybe I am hitting at the wrong part of the code

7

Having the same issue as @vitachaos, would appreciate a fix for this

8

you need to set overwriteprotocol to https:

9

thanks @vitachaos but my issue was different. I had already set that option and in my case it was trying to redirect to a completely different domain outside Nextcloud so I had to patch the file

10

where is this file ContentSecurityPolicy.php located in /var/www/nextcloud/* ?

11

in /var/www/nextcloud type

find . -iname ContentSecu*

to find your file. but should you not just set overwriteprotocol’ => ‘https’, as mentioned above

12

Old issue (I’m now on NC 26), but I got a note that the site does not prevent ClickJacking - I’ve made the following change to ContentSecurityPolicy.php (it was empty):

        protected $allowedFrameDomains = [
                '\'self\'',
        ];

See frame-ancestors in CSP ⟶ Allowing / Blocking iframes from Loading for more info.
I’ve yet to update to NC 27, but perhaps this change should be considered for inclusion?