CSP broke on 27.0.1

Jan-Jonas_Saemann · July 23, 2023, 2:21pm

One of my instances on a unicode domain broke after the update from 26 to 27.0.1.
Now the nextcloud generated Content-Security-Policy header does not punicode the domain (sends utf-8 caracters in the CSP header) which makes browsers refuse to load any assests.

kesselb · July 23, 2023, 2:48pm

Hi,

For bug reports: Issues · nextcloud/server · GitHub

Are you certain that Nextcloud encoded the domains in the past? Usually, to refer to the current domain, you use self in the CSP header.

Please include an example of the generated CSP header in your bug report.

Jan-Jonas_Saemann · July 28, 2023, 11:10pm

For those who face a similar problem:
TL;DR caused by “Nextcloud Office”-App. (richdocuments)

Here is the corresponding issue:

github.com/nextcloud/server

[Bug]: Nextcloud 27.0.1 unicode fqdn in CSP header

opened 01:46PM - 24 Jul 23 UTC

Sprinterfreak

bug 1. to develop 27-feedback

### ⚠️ This issue respects the following points: ⚠️ - [X] This is a **bug**, no…t a question or a configuration/webserver/proxy issue. - [X] This issue is **not** already reported on [Github](https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3Abug) OR [Nextcloud Community Forum](https://help.nextcloud.com/) _(I've searched it)_. - [X] Nextcloud Server **is** up to date. See [Maintenance and Release Schedule](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule) for supported versions. - [X] I agree to follow Nextcloud's [Code of Conduct](https://nextcloud.com/contribute/code-of-conduct/). ### Bug description After upgrading 26 to 27.0.1, Nextcloud sets unpunicoded unicode domain in CSP header. This prevents browsers from loading all assets. Example CSP header generated by nextcloud ``` Content-Security-Policy default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-eVJrNk93WHBSdjNDUkNvUXI3azcxdzdSZ2ZqeXpPbEFPd0JqQnNLWUtEST06a0g1M1NqeURBWitNQmdGMjRNNVluVVdROUxmQW42NE5kellKTXFudVlIZz0=';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: https://cloud.tÃ¤st.de;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src 'self' nc: https://cloud.tÃ¤st.de;frame-ancestors 'self' https://cloud.tÃ¤st.de;form-action 'self' https://cloud.tÃ¤st.de.de ``` Affected Routes: /apps/files /apps/photos /apps/contacts /apps/calendar /apps/phonetrack /settings Not affected routes: /remote.php /ocs /js /apps/keeweb ### Steps to reproduce 1. Updating nextcloud from 26 to 27.0.1 2. nginx/php8.2-fpm ### Expected behavior If the instance has a unicode domain, the fqdn must be punicoded in the Content-Security-Policy header. ### Installation method Community VM appliance ### Nextcloud Server version 27 ### Operating system Debian/Ubuntu ### PHP engine version PHP 8.2 ### Web server Nginx ### Database engine version PostgreSQL ### Is this bug present after an update or on a fresh install? Upgraded to a MAJOR version (ex. 22 to 23) ### Are you using the Nextcloud Server Encryption module? Encryption is Disabled ### What user-backends are you using? - [X] Default user-backend _(database)_ - [ ] LDAP/ Active Directory - [ ] SSO - SAML - [ ] Other ### Configuration report ```shell { "system": { "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost", "cloud.xn--tst-qla.de" ], "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "overwritehost": "cloud.xn--tst-qla.de", "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "pgsql", "version": "27.0.1.2", "overwrite.cli.url": "https:\/\/cloud.xn--tst-qla.de", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "memcache.local": "\\OC\\Memcache\\Redis", "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": "0" }, "filelocking.enabled": "true", "enable_previews": "true", "enabledPreviewProviders": [ "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\BMP", "OC\\Preview\\XBitmap", "OC\\Preview\\Movie", "OC\\Preview\\PDF", "OC\\Preview\\MP3", "OC\\Preview\\TXT", "OC\\Preview\\MarkDown", "OC\\Preview\\TIFF" ], "preview_max_scale_factor": "1", "preview_max_memory": "256", "auth.bruteforce.protection.enabled": "true", "trashbin_retention_obligation": "auto,7", "skeletondirectory": "", "defaultapp": "file", "activity_expire_days": "14", "integrity.check.disabled": "false", "updater.release.channel": "stable", "mail_smtpmode": "smtp", "mail_smtpsecure": "tls", "mail_sendmailmode": "smtp", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "25", "maintenance": false, "theme": "", "loglevel": 2, "default_phone_region": "de", "check_for_working_wellknown_setup": false, "allow_local_remote_servers": true } } ``` ### List of activated Apps ```shell Enabled: - activity: 2.19.0 - admin_audit: 1.17.0 - calendar: 4.4.3 - checksum: 1.2.2 - circles: 27.0.1 - cloud_federation_api: 1.10.0 - comments: 1.17.0 - contacts: 5.3.2 - contactsinteraction: 1.8.0 - dav: 1.27.0 - drawio: 2.1.2 - federatedfilesharing: 1.17.0 - federation: 1.17.0 - files: 1.22.0 - files_pdfviewer: 2.8.0 - files_rightclick: 1.6.0 - files_sharing: 1.19.0 - files_trashbin: 1.17.0 - files_versions: 1.20.0 - groupfolders: 15.0.1 - keeweb: 0.6.13 - logreader: 2.12.0 - lookup_server_connector: 1.15.0 - nextcloud_announcements: 1.16.0 - notifications: 2.15.0 - oauth2: 1.15.1 - password_policy: 1.17.0 - phonetrack: 0.7.6 - photos: 2.3.0 - privacy: 1.11.0 - provisioning_api: 1.17.0 - recommendations: 1.6.0 - related_resources: 1.2.0 - richdocuments: 8.1.0 - serverinfo: 1.17.0 - settings: 1.9.0 - sharebymail: 1.17.0 - support: 1.10.0 - systemtags: 1.17.0 - text: 3.8.0 - theming: 2.2.0 - twofactor_backupcodes: 1.16.0 - updatenotification: 1.17.0 - user_status: 1.7.0 - viewer: 2.1.0 - weather_status: 1.7.0 - workflowengine: 2.9.0 Disabled: - bruteforcesettings: 2.7.0 - collectives: 2.6.1 (installed 2.6.1) - dashboard: 7.7.0 (installed 7.1.0) - encryption: 2.15.0 - files_external: 1.19.0 - files_markdown: 2.4.1 (installed 2.4.1) - firstrunwizard: 2.16.0 (installed 2.10.0) - ransomware_protection: 1.14.0 (installed 1.14.0) - survey_client: 1.15.0 (installed 1.9.0) - suspicious_login: 5.0.0 - twofactor_totp: 9.0.0 - user_ldap: 1.17.0 ``` ### Nextcloud Signing status ```shell No errors have been found. ``` ### Nextcloud Logs ```shell No related logs ``` ### Additional info _No response_

The conditions to run into this bug are met if:

You have a unicode domain
You have “Nextcloud Office” installed

There are currently two ways to fix it temporarely:

Disable “Netcloud Office” App
Apply the patch provided in the issue manually