CSP interferes with scripts

Hi everyone,
I am running version 25.0.2 and there appears to be an issue with the content security policy, namely some elements of the page being prevented by script-src and media-src commands.

Unfortunately, I can’t really point to where this originally comes from, because I only found out while trying to figure out why Nextlcloud Office wouldn’t start.

I found no content security policy definitions in the .htaccess or in the HTML head, yet when analysing it with https://report-uri.com/home/analyse , I find a pretty detailed CSP (which states that scripts need a nonce and media has to be loaded from ‘self’).

Can anybody tell me where the CSP is defined?


EDIT: I am running Nextcloud on a shared hosting server, and used an automatic installer supplied by the webhoster. Right after a fresh install (page “Recommended apps”), the error already occurs. So maybe there is the issue. Will look further into that

Okay, I have tried the automatic installation and the “manual install” via setup-nextcloud.php on two different webhosters’ servers, and I always end up with

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). moz-extension:1:294

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“media-src”).

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). moz-extension:42:9

in Firefox and the following in Chrome:

Refused to execute inline event handler because it violates the following Content Security Policy directive: “script-src ‘nonce-…’ blob:”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-…’), or a nonce (‘nonce-…’) is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the ‘unsafe-hashes’ keyword is present.

I have a feeling I am missing something obvious. Can anyone enlighten me?