Content Security Policy with Adding Microsoft Login

I’m trying to develop an app that allows the user to sign into Microsoft Azure and displays their Azure portal information on the Nextcloud site, such as what subscriptions and virtual machines they have. However, whenever my JavaScript executes the code that is supposed to redirect the user to the Microsoft login, I get the following error:

Content-Security-Policy: The page’s settings blocked the loading of a resource at Sign in to your account (“form-action”).

I’ve tried several fixes that I found in these forums and on other websites, such as adding the following to the config.php file:

'overwrite.cli.url' => ''

and adding the following meta tag to the app template:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' 'unsafe-eval' https://*;child-src 'self' 'unsafe- inline' 'unsafe-eval' https://*; object-src 'self' 'unsafe-inline' 'unsafe-eval' https://*; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*; img-src 'self' 'unsafe-inline' 'unsafe-eval' https://*;">

but neither solution has worked for me. Is there any way to get around this issue?

You cannot change the headers of an HTML page from the template. The template is just some text that is inserted into the body tag of a page (nested somewhere inside the various styling tags).

You need to change the content security policy of the index page. In the docs is a section about content security policies. Instead of creating a new one, you should (but I have not tested it) be able to just get the currently installed policy from the Response. You will have to use addAllowedFormActionDomain.

With that, the CSP meta tag should be updated accordingly as you can check in the browser.

Thank you so much. I was able to change the CSP in the response created from PageController.php and it worked!

1 Like