CSP Wildcard Directives (frame-src *, img-src *, media-src *, connect-src *)

đŸ’» Development
1

Is there way to fix this on Nextcloud Hub 25 Autumn (32.0.6)? This report was on the ZAP Report

“Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate
certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data
injection attacks. These attacks are used for everything from data theft to site defacement
or distribution of malware. CSP provides a set of standard HTTP headers that allow website
owners to declare approved sources of content that browsers should be allowed to load on
that page — covered types are JavaScript, CSS, HTML frames, fonts, images and
embeddable objects such as Java applets, ActiveX, audio and video files.”

URL https:///
Node
Name https:///
Method GET
Attack

Evidence

default-src ‘self’; script-src ‘self’ ‘nonce-
QPGyKhQ6rLKUTcRiZlgjzbPtNbdJek+jCjVoYpwWISU=’; style-src ‘self’ ‘unsafe-inline’;

frame-src *; img-src * data: blob:; font-src ‘self’ data:; media-src *; connect-src *; object-src
‘none’; base-uri ‘self’;

2

Hello @adelacruz

What is a ZAP report? I do not know this and a quick google did not find anything obvious.

What is this? Part of the report?

I am sorry, but I do not understand your post, sorry. You started a topic in development category. This category is intended for active developers of the core or apps in the Nextcloud ecosystem.
From the description in your topic, it is not clear if you are seeking help and advice about a concrete problem you have or you want to actually develop the corresponding solution.

Please specify explicitly the required information to help you best. These are:

  1. What you want to achieve
  2. What you have done so far
  3. What is failing
  4. What you expect from the forum community

Without additional information the community members cannot help you in an efficient manner. Please keep in mind that the help here in the forum are mostly based on work of volunteers and thus it is just fair to reduce the burden on them.

If you accidentally posted in the category, just give a hint and a moderator can move the corresponding category. If you intended to ask for the main devs to look at your problem, you will probably have to file a bug report on GitHub. I can share a link to the corresponding repo if you tell me more about your problem. I guess (but I am not sure) that it is the server repo, that you might be looking for.

Regards,
Christian

3

Hi @christianlupus,

Sorry for the late revert.

Please see the full report of the ZAP

The 172.16.1.9:9980 is a containerized collaborative app.

Medium CSP: style-src unsafe-inline Description

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.

CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

URL https://cloud-domain/index.php/login
Node Name https://cloud-domain/index.php/login

Method GET

Attack : none

Evidence :default-src ‘none’;base-uri ‘none’;manifest-src ‘self’;script-src ‘nonce-cMtJ /WqkEu3KROkC9mayXQulXpDAS0QONFSJPq7iKfM=’;script-src-elem ‘strict-dynamic’ ‘nonce-cMtJ/WqkEu3KROkC9mayXQulXpDAS0QONFSJPq7iKfM=’;style-src ‘self’ ‘unsafeinline’;img-src ‘self’ data: blob: https://172.16.1.9:9980;font-src ‘self’ data:;connect-src ‘self’; media-src ‘self’;frame-src ‘self’ nc: https://172.16.1.9:9980;frame-ancestors ‘self’ https://172.16.1.9:9980;form-action ‘self’ https://172.16.1.9:9980

Other Info style-src includes unsafe-inline.Instances 1 Solution Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

Medium CSP: Failure to Define Directive with No Fallback Description

The Content Security Policy fails to define one of the directives that has no fallback. Missing /excluding them is the same as allowing anything.

URL https://cloud-domain/

Node Name: https://cloud-domain/

Method GET:

Attack

Evidence default-src ‘self’; script-src ‘self’ ‘nonceQPGyKhQ6rLKUTcRiZlgjzbPtNbdJek+jCjVoYpwWISU=’; style-src ‘self’ ‘unsafe-inline’; frame-src *; img-src * data: blob:; font-src ‘self’ data:; media-src *; connect-src *; object-src ‘none’; base-uri ‘self’; Other Info The directive(s): frame-ancestors, form-action is/are among the directives that do not fallback to default-src.

URL: https://cloud-domain/index.php

Node Name: https://cloud-domain/index.phpMethod

Evidence : default-src ‘self’; script-src ‘self’ ‘nonceoep1TWPNJMY28MOT8ucKBjBS7qu9DJeLHZNRus+TMi4=’; style-src ‘self’ ‘unsafe-inline’; frame-src *; img-src * data: blob:; font-src ‘self’ data:; media-src *; connect-src *; object-src ‘none’; base-uri ‘self’; Other Info The directive(s): frame-ancestors, form-action is/are among the directives that do not fallback to default-src.

URL https://cloud-domain/index.php/login

Node Name https://cloud-domain/index.php/login ()(password,rememberme,requesttoken,timezone, timezone_offset,user)
Method POST
Attack
Evidence default-src ‘none’;base-uri ‘none’;manifest-src ‘self’;frame-ancestors ‘none’ Other Info The directive(s): form-action is/are among the directives that do not fallback to default-src.

4

I can only repeat my questions:

  1. What is ZAP? Are you referring to https://www.zaproxy.org/?
  2. What are you expecting? What are your looking for?

Chris

5

Hi @adelacruz, hi @christianlupus,

what I think is happening here is basically this:

The report comes from OWASP ZAP (Zed Attack Proxy):

And the findings are being interpreted as actual misconfigurations that need to be fixed.

But if you look at the details, ZAP is mainly flagging generic CSP topics:

  • style-src 'unsafe-inline' → flagged as potentially unsafe
  • wildcards like frame-src * , img-src * , connect-src * → flagged as too permissive
  • missing directives like form-action or frame-ancestors → flagged because they don’t fall back to default-src

All of that is technically correct from a strict CSP point of view.

However, the important part is: these headers are coming from Nextcloud itself and are designed that way.

For example:

  • nonce-based script-src is already a strong modern protection
  • default-src 'none' (on the login page) is very restrictive
  • the 172.16.1.9:9980 endpoint is most likely a Collabora/CODE container, so it must be allowed for frames/connect

So the actual question behind the post seems to be:

“ZAP tells me my CSP is insecure — is this really a problem and do I need to fix it?”

And the key point is:
This is not a typical misconfiguration, but mostly a set of generic scanner warnings applied to a complex application.

Nextcloud intentionally allows certain things (like unsafe-inline or broader source definitions), because otherwise features like apps, previews, federation or WebDAV would break.

So trying to “fix” all of these findings strictly would very likely cause more problems than it solves.

In short:
This looks like a case where a security scanner reports theoretical weaknesses, but in practice it is expected behavior for a Nextcloud setup.

h.t.h.

ernolf