Hello to the Nextcloud community,
I’m involved in a new project where developing a custom App for the Nextcloud installation is needed.
The coders that develop the App stumbled across a problem with the Nextcloud Content Security Policy. Apparently, the Content Security Policy and in particular the allowed sources for scripts, stylesheets, fonts, … are hardcoded into the Nextcloud core code in addSecurityHeader() at lib/private/legacy/response.php:
$policy = 'default-src \'self\'; '
. 'script-src \'self\' \'unsafe-eval\'; '
. 'style-src \'self\' \'unsafe-inline\'; '
. 'frame-src *; '
. 'img-src * data: blob:; '
. 'font-src \'self\' data:; '
. 'media-src *; '
. 'connect-src *';
header('Content-Security-Policy:' . $policy);
Unfortunately the developers need to use external scripts and CSS stylesheets in the App they develop. The Content Security Policy as implemented in the quoted function forbids this globally.
So far, we didn’t find a way to change this Content Security Policy without editing the core code of Nextcloud (i.e. the quoted function). Is it just us or is there no way in Nextcloud to change the default Content Security Policy apart from changing the core code at lib/private/legacy/response.php?
There also exists buildPolicy() in lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php, which seems to build a Content Security Policy based on several variables ($this->allowedScriptDomains, $this->allowedStyleDomains, …). Is this function intended to build a custom Content Security Policy? If yes, how can I configure it? Via settings in config/config.php or via invoking the function in the App code?
Thanks in advance for your advice.