CSP "Content Security Policy" missing in Nextcloud manual

💻 Development
1

Warning: this is a security related topic. Please read the complete discussion before blindly copying configuration settings.

CSP missing in Nextcloud Nginx docs configuration manual:
https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html#nginx-configuration
Nginx:

add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline' https:; script-src 'self' 'unsafe-eval' 'unsafe-inline' https:; font-src 'self' data:; img-src 'self' data: blob:; connect-src 'self' wss:; frame-src 'self';" always;

For Apache it shlould work with:

<IfModule mod_headers.c>
    Header always set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline' https:; script-src 'self' 'unsafe-eval' 'unsafe-inline' https:; font-src 'self' data:; img-src 'self' data: blob:; connect-src 'self' wss:; frame-src 'self';"
</IfModule>
2

Actually, NO!!!

The CSP should not be alerted by the serving software (be it Apache, Nix, or any other). This is the job of the Nextcloud PHP code.

There might be reasons for putting more or less restrictive headers there depending on the use case. In fact the app can individually decide, which headers to send. By “repairing” the headers in such a crude manner, you have no clue what security issues might arise.

So, again, for all those that found the topic: do not replace the security related headers like CSP without explicit knowledge and need. I just wrote this to avoid such an work to be made by anyone.

The problem with security is: unless you test it (and you know how to test it), it seems to work. Your users are happy. No one complains, not even the hackers :stuck_out_tongue_winking_eye:. You only see the problem later when something nasty has happened.

If there was the need to do such a thing, this is either a bug (which should be reported and fixed in the first place) or a use case that was never considered yet (and should be brought to the devs awareness). There might be workaround to be installed but that would be much more narrowed down and must be replaced after fixing.

Just 50ct.

3 Likes
3

Just chiming in to make it very clear and reiterate what Christian said: CSP is managed dynamically by Nextcloud Server. Do not set the header statically like this yourself.

If the header is missing, something is misconfigured in your environment (e.g. an RP/web server is clearing and not passing on headers).

Also, as a reminder, security matters have their own reporting channel. Every repository within the project on GitHub has a Security Policy link. Or you can visit the one in the main repository directly.

That said, thanks for being diligent. :slight_smile:

4

YES
I have it:


grep -RnisI -B2  Content-Security-Policy  /var/www/nextcloud/lib/private/
/var/www/nextcloud/lib/private/legacy/OC_Response.php-69-			. 'object-src \'none\'; '
/var/www/nextcloud/lib/private/legacy/OC_Response.php-70-			. 'base-uri \'self\'; ';
/var/www/nextcloud/lib/private/legacy/OC_Response.php:71:		header('Content-Security-Policy:' . $policy);
--
/var/www/nextcloud/lib/private/EventSource.php-36-			$this->fallBackId = (int)$_GET['fallback_id'];
/var/www/nextcloud/lib/private/EventSource.php-37-			/**
/var/www/nextcloud/lib/private/EventSource.php:38:			 * FIXME: The default content-security-policy of ownCloud forbids inline
--
/var/www/nextcloud/lib/private/EventSource.php-45-			 * @link https://github.com/owncloud/core/issues/14286
/var/www/nextcloud/lib/private/EventSource.php-46-			 */
/var/www/nextcloud/lib/private/EventSource.php:47:			header("Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline'");

I got the warning by scanning with hostedscan so I became suspicious, so wehre is the issue than =) I’m still on it…

2 Likes
5

Just for reference: any app can use the CSP classes provided by the PHP NC core: Nextcloud PHP API (master)