Hi everyone,
I am running version 25.0.2 and there appears to be an issue with the content security policy, namely some elements of the page being prevented by script-src and media-src commands.
Unfortunately, I can’t really point to where this originally comes from, because I only found out while trying to figure out why Nextlcloud Office wouldn’t start.
I found no content security policy definitions in the .htaccess or in the HTML head, yet when analysing it with https://report-uri.com/home/analyse , I find a pretty detailed CSP (which states that scripts need a nonce and media has to be loaded from ‘self’).
Can anybody tell me where the CSP is defined?
EDIT: I am running Nextcloud on a shared hosting server, and used an automatic installer supplied by the webhoster. Right after a fresh install (page “Recommended apps”), the error already occurs. So maybe there is the issue. Will look further into that
Okay, I have tried the automatic installation and the “manual install” via setup-nextcloud.php on two different webhosters’ servers, and I always end up with
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). moz-extension:1:294
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“media-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). moz-extension:42:9
in Firefox and the following in Chrome:
Refused to execute inline event handler because it violates the following Content Security Policy directive: “script-src ‘nonce-…’ blob:”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-…’), or a nonce (‘nonce-…’) is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the ‘unsafe-hashes’ keyword is present.
I have a feeling I am missing something obvious. Can anyone enlighten me?