Content Security Policy in Nextcloud

Hello to the Nextcloud community,

I’m involved in a new project where developing a custom App for the Nextcloud installation is needed.

The coders that develop the App stumbled across a problem with the Nextcloud Content Security Policy. Apparently, the Content Security Policy and in particular the allowed sources for scripts, stylesheets, fonts, … are hardcoded into the Nextcloud core code in addSecurityHeader() at lib/private/legacy/response.php:

$policy = 'default-src \'self\'; '
         . 'script-src \'self\' \'unsafe-eval\'; '
         . 'style-src \'self\' \'unsafe-inline\'; '
         . 'frame-src *; '
         . 'img-src * data: blob:; '
         . 'font-src \'self\' data:; '
         . 'media-src *; ' 
         . 'connect-src *';
header('Content-Security-Policy:' . $policy);

Unfortunately the developers need to use external scripts and CSS stylesheets in the App they develop. The Content Security Policy as implemented in the quoted function forbids this globally.

So far, we didn’t find a way to change this Content Security Policy without editing the core code of Nextcloud (i.e. the quoted function). Is it just us or is there no way in Nextcloud to change the default Content Security Policy apart from changing the core code at lib/private/legacy/response.php?

There also exists buildPolicy() in lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php, which seems to build a Content Security Policy based on several variables ($this->allowedScriptDomains, $this->allowedStyleDomains, …). Is this function intended to build a custom Content Security Policy? If yes, how can I configure it? Via settings in config/config.php or via invoking the function in the App code?

Thanks in advance for your advice.

Why do you need to include external scripts and css style-sheets?


The developers want to use an external platform for notification messages and need to include a JS script from this platform.

In the meantime I found the following post by @LukasReschke from April 2015 about CSP in Owncloud. Maybe that’s the solution: Content-Security-Policy and ownCloud

Or did Nextcloud change this in the meantime? Our developers will give it a try.

You can inject changes to the default policy:

Note that this only works on apps that use the AppFramework.

1 Like