CSP configuration performed by user or host?

rokejulianlockhart · January 1, 2024, 10:41pm

Per https://github.com/nextcloud/tasks/issues/2274#issuecomment-1873495567, I’m unable to view ![title](https://example.com/image.extension){.MD} in tasks descriptions at Login – Nextcloud. This appears to be due to CSP (mis)configuration. Am I able to modify this as an unprivileged user, or must I ask the host? A client-side bypass workaround is acceptable.

jtr · January 2, 2024, 3:55am

I’m unable to view ![title](https://example.com/image.extension){.MD} in tasks descriptions

Reading through the issue I was surprised the image loaded for @raimund-schluessler: I didn’t think any standard components of Server or shipped-by-default apps set the ContentSecurityPolicy to permit img-src from arbitrary domains… other than under very narrow and carefully considered and controlled circumstances. (And AFAIK the tasks app doesn’t override/adjust the CSP itself).

Then I came up with a hypothesis: they might have an app like integration_github installed… Which just so happens to explicitly add the GH image domain to NC’s Content-Security-Policy here:

github.com

nextcloud/integration_github/blob/0f4b3f37b58670b68ac3a4e519592ff042de986e/lib/Listener/ContentSecurityPolicyListener.php#L44


      
          
          	/**
          	 * @inheritDoc
          	 */
          	public function handle(Event $event): void {
          		if (!$event instanceof AddContentSecurityPolicyEvent) {
          			return;
          		}
          
          		$policy = new ContentSecurityPolicy();
          		$policy->addAllowedImageDomain('https://user-images.githubusercontent.com');
          		$event->addPolicy($policy);
          	}
          }

I suspect img-src sources other than GH would not have worked (there may be an override in debug mode also - I can’t remember).

So I don’t think what you’re trying to do normally works; it doesn’t for me on latest NC27 on a test instance (lacking the above mentioned app). I did not check any other versions.

But to your question…

Am I able to modify this as an unprivileged user, or must I ask the host? A client-side bypass workaround is acceptable.

Server-side: No.

Client-side: Yes, there are browser extensions (and, browser options, sometimes) that can be used to adjust/override the Content-Security-Policy. Should be easy to find via your favorite search engine for your browser.

P.S. It looks like your host is using v25.0.8 (a bit out of date even within NC25 which made it to v25.0.13 before reaching end of life).

P.P.S. CSP references you might find helpful:

raimund-schluessler · January 2, 2024, 9:21am

For me it works with basically every domain. But you are right, on my local dev server with very few apps installed, loading images is blocked by CSP as well.

However, I couldn’t figure out yet which app(s) allow images. A quick search in GitHub shows that there are multiple apps, of which a few are installed on my productioni instance, that completely allow all image domains. Such as
Maps

github.com

nextcloud/maps/blob/9fa65a6304f6862c123e60398d0468350604739f/lib/Controller/UtilsController.php#L188-L191


      
          $csp = new ContentSecurityPolicy();
          $csp->addAllowedImageDomain('*')
              ->addAllowedMediaDomain('*')
              ->addAllowedConnectDomain('*');

Notes

github.com

nextcloud/notes/blob/93efdb88615a5b561c6e26165dd169f49343e60f/lib/Controller/PageController.php#L89C1-L90


      
          		$csp = new ContentSecurityPolicy();
          		$csp->addAllowedImageDomain('*');

PDF Viewer

github.com

nextcloud/files_pdfviewer/blob/d1e7bf8fe668030fe0236ba7369189dfe554d9f0/lib/Controller/DisplayController.php#L70


      
          		$params = [
          			'urlGenerator' => $this->urlGenerator,
          			'minmode' => $minmode
          		];
          
          		$response = new TemplateResponse(Application::APP_ID, 'viewer', $params, 'blank');
          
          		$policy = new ContentSecurityPolicy();
          		$policy->addAllowedChildSrcDomain('\'self\'');
          		$policy->addAllowedFontDomain('data:');
          		$policy->addAllowedImageDomain('*');
          		// Needed for the ES5 compatible build of PDF.js
          		$policy->allowEvalScript(true);
          		$response->setContentSecurityPolicy($policy);
          
          		return $response;
          	}
          }

And there are multiple more that partially allow image domains. So, yes, I guess you are right that the reason it just works here is an app allowing all images to load.

rokejulianlockhart · January 2, 2024, 1:37pm

@raimund-schluessler, seems like a significant security deficiency that the administrator can’t comprehensively see all security policy overrides at a moment’s notice, right? I’m surprised NC appears to lack that.