CSP interferes with scripts

ℹ️ Support
1

Hi everyone,
I am running version 25.0.2 and there appears to be an issue with the content security policy, namely some elements of the page being prevented by script-src and media-src commands.

Unfortunately, I can’t really point to where this originally comes from, because I only found out while trying to figure out why Nextlcloud Office wouldn’t start.

I found no content security policy definitions in the .htaccess or in the HTML head, yet when analysing it with https://report-uri.com/home/analyse , I find a pretty detailed CSP (which states that scripts need a nonce and media has to be loaded from ‘self’).

Can anybody tell me where the CSP is defined?

EDIT: I am running Nextcloud on a shared hosting server, and used an automatic installer supplied by the webhoster. Right after a fresh install (page “Recommended apps”), the error already occurs. So maybe there is the issue. Will look further into that

2

Okay, I have tried the automatic installation and the “manual install” via setup-nextcloud.php on two different webhosters’ servers, and I always end up with

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). moz-extension:1:294

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“media-src”).

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). moz-extension:42:9

in Firefox and the following in Chrome:

Refused to execute inline event handler because it violates the following Content Security Policy directive: “script-src ‘nonce-…’ blob:”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-…’), or a nonce (‘nonce-…’) is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the ‘unsafe-hashes’ keyword is present.

I have a feeling I am missing something obvious. Can anyone enlighten me?

3

Nextcloud 26.1
Nextcloud office app 8.0.2

I have the same Problem here. A colleague allows me to use his Nextcloud Office setup. But If I open a document I get a black screen.
Firefox web console say:

Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf inline blockiert ("script-src").
Source: event.preventDefault()
___
XHRGET
https://xxxxxxxxxxxxx.com/ocs/v2.php/apps/text/workspace?path=/
[HTTP/2 404 Not Found 1399ms]

I don’t know what to do now.

[Edit:]
I As far I know this error appears in the web console the moment I open the files app.

log:

No new notification data received NotificationsApp.vue:382
Polling interval updated to 30000 NotificationsApp.vue:414
jQuery is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own. 4 globals.js:59:15
$ is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own. 10 globals.js:59:15
jQuery is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own. 4 globals.js:59:15
File info for /DATA/file.xlsx fetched 
Object { filename: "/DATA/file.xlsx", basename: "file.xlsx", lastmod: "Tue, 16 May 2023 13:09:51 GMT", size: 11733, type: "file", etag: null, mime: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", getlastmodified: "Tue, 16 May 2023 13:09:51 GMT", getcontenttype: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", resourcetype: "", … }
Viewer.vue:501
[DEBUG] viewer: Fetching additional files... 
Object { app: "viewer", uid: "USER", level: 0 }
ConsoleLogger.js:50:18
You need to fill either the text or the ariaLabel props in the button component. 
Object { text: undefined, ariaLabel: null }
 
Object { _uid: 31, _isVue: true, __v_skip: true, _scope: {…}, "$options": {…}, _renderProxy: {…}, _self: {…}, "$parent": {…}, "$root": {…}, "$children": [], … }
index.module.js:2:807410
You need to fill either the text or the ariaLabel props in the button component. 
Object { text: undefined, ariaLabel: null }
 
Object { _uid: 31, _isVue: true, __v_skip: true, _scope: {…}, "$options": {…}, _renderProxy: {…}, _self: {…}, "$parent": {…}, "$root": {…}, "$children": [], … }
index.module.js:2:807410
$ is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own. globals.js:59:15
OC.getCapabilities is deprecated and will be removed in Nextcloud 21. See @nextcloud/capabilities capabilities.js:35:9
You need to fill either the text or the ariaLabel props in the button component. 
Object { text: undefined, ariaLabel: null }
 
Object { _uid: 31, _isVue: true, __v_skip: true, _scope: {…}, "$options": {…}, _renderProxy: {…}, _self: {…}, "$parent": {…}, "$root": {…}, "$children": [], … }
index.module.js:2:807410
Content Security Policy: 'x-frame-options' wird wegen 'frame-ancestors'-Direktive ignoriert.
jQuery is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own. 24 globals.js:59:15
Proxying an event bus of version 3.0.2 with 1.3.0 index.es.js:2337:14
jQuery is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own. globals.js:59:15
$ is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own. globals.js:59:15
OCA.Comments.View initialized comments-app.js:32:8
jQuery is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own. 6 globals.js:59:15
Fehler beim Laden des lesbareren Quelltexts: can't assign to property "metadata" on "request failed with status 404": not an object
Adresse des lesbareren Quelltexts: <unknown>
jQuery is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own. 24 globals.js:59:15
Diese Seite verwendet die nicht standardisierte Eigenschaft "zoom". Stattdessen sollte calc() in den entsprechenden Eigenschaftswerten oder "transform" zusammen mit "transform-origin: 0 0" verwendet werden. index
jQuery is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own. 4 globals.js:59:15
FAILED Office.vue:205
You need to fill either the text or the ariaLabel props in the button component. 
Object { text: undefined, ariaLabel: null }
 
Object { _uid: 31, _isVue: true, __v_skip: true, _scope: {…}, "$options": {…}, _renderProxy: {…}, _self: {…}, "$parent": {…}, "$root": {…}, "$children": [], … }
index.module.js:2:807410
No new notification data received NotificationsApp.vue:382
Polling interval updated to 30000 NotificationsApp.vue:414
1 Like
4

I found a similar Git Issue and added a comment there. Please tick a Like to the first post if you think it affects you.