CSP Wildcard Directives (frame-src *, img-src *, media-src *, connect-src *)

💻 Development
1

Is there way to fix this on Nextcloud Hub 25 Autumn (32.0.6)? This report was on the ZAP Report

“Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate
certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data
injection attacks. These attacks are used for everything from data theft to site defacement
or distribution of malware. CSP provides a set of standard HTTP headers that allow website
owners to declare approved sources of content that browsers should be allowed to load on
that page — covered types are JavaScript, CSS, HTML frames, fonts, images and
embeddable objects such as Java applets, ActiveX, audio and video files.”

URL https:///
Node
Name https:///
Method GET
Attack

Evidence

default-src ‘self’; script-src ‘self’ ‘nonce-
QPGyKhQ6rLKUTcRiZlgjzbPtNbdJek+jCjVoYpwWISU=’; style-src ‘self’ ‘unsafe-inline’;

frame-src *; img-src * data: blob:; font-src ‘self’ data:; media-src *; connect-src *; object-src
‘none’; base-uri ‘self’;

2

Hello @adelacruz

What is a ZAP report? I do not know this and a quick google did not find anything obvious.

What is this? Part of the report?

I am sorry, but I do not understand your post, sorry. You started a topic in development category. This category is intended for active developers of the core or apps in the Nextcloud ecosystem.
From the description in your topic, it is not clear if you are seeking help and advice about a concrete problem you have or you want to actually develop the corresponding solution.

Please specify explicitly the required information to help you best. These are:

  1. What you want to achieve
  2. What you have done so far
  3. What is failing
  4. What you expect from the forum community

Without additional information the community members cannot help you in an efficient manner. Please keep in mind that the help here in the forum are mostly based on work of volunteers and thus it is just fair to reduce the burden on them.

If you accidentally posted in the category, just give a hint and a moderator can move the corresponding category. If you intended to ask for the main devs to look at your problem, you will probably have to file a bug report on GitHub. I can share a link to the corresponding repo if you tell me more about your problem. I guess (but I am not sure) that it is the server repo, that you might be looking for.

Regards,
Christian