Dear community, reading this nice German article about court fees for using of Google Fonts without user confirmation: Golem.de: IT-News für Profis I was wondering - I do setup my CSP by myself and basically simply forbid 3rd party sites calls, or add them to white list and add Domains to the legal notice as they may track you, set cookies, get information about IP, Browser, etc…
I do check my setup and see that CSP is set by Nextcloud itself, what is good and reducing my configuration work and seems quite small:
content-security-policy: default-src 'self'; script-src 'self' 'nonce-L0FiVFV3VktKYXVXeVM5ZTlCWW4vcnZPTjBiVHlZalFHeEgrTTlXeHh5VT06MTFDTFBVNGxjcDNQcldRSmhWTmRsSXVEWVJ5S3JNK0NUSGZQUXFmWG9rWT0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
But now I need to check what kind of 3rd sites been used and list them on a Legal notice. I find that e.g. Unsplash will use images.unsplash.com, or Maps use mapbox.com. And nightmare startet, each App has own CSP:
CSP Example from Apps
CSP from Maps
content-security-policy
default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-UE9HR3g2bGdxOFNJMFVYdkNjZk92QzNzcVl2U3duRGpINlZ5R2VuU3dGTT06U2M2emt1RXJuWXEvdmliZWVQK1ovVWJVeU9Lb3F5SFVhdUlZSU4zZzcyYz0=' blob: https://unpkg.com;style-src 'self' 'unsafe-inline';img-src 'self' data: blob: https://*.tile.openstreetmap.org https://source.unsplash.com https://images.unsplash.com https://server.arcgisonline.com https://*.cartocdn.com https://*.opentopomap.org https://*.ssl.fastly.net https://*.openstreetmap.se https://nominatim.openstreetmap.org;font-src 'self' data:;connect-src 'self' blob: stun.nextcloud.com:443 https://*.project-osrm.org https://api.mapbox.com https://events.mapbox.com https://graphhopper.com https://nominatim.openstreetmap.org;media-src 'self' blob:;frame-src data: 'self';child-src 'self' blob:;frame-ancestors 'self';worker-src 'self' blob:;form-action 'self'
CSP from PhoneTrack
content-security-policy
default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-cUJQUG9jWFhXUGUxejZ1TUZxK3dpM2JaRWZ1NnRhTStQdWRHTVJqeHRhcz06M1R6NjlJMmNicm1Db01pOVo1Zm55aDNoY0pMQTNQSUpTNkFzQ0N6RG1wOD0=' blob: * 'unsafe-inline' 'unsafe-eval';style-src 'self' * 'unsafe-inline';img-src 'self' data: blob: https://*.tile.openstreetmap.org https://source.unsplash.com https://images.unsplash.com *;font-src 'self' data: *;connect-src 'self' blob: stun.nextcloud.com:443 *;media-src 'self' blob: *;object-src *;frame-src data: 'self' *;child-src 'self' blob: * blob:;frame-ancestors 'self';worker-src 'self' blob:;form-action 'self'
About other applications it is not so easy, e.g. PhoneTrack has multiple Maps choices and will use different servers for it and CSP is also different, and even not all sites are listed in it.
And I have other and other applications…
I read those two, but could not find any information: Nextcloud helps you being GDPR-compliant and Nextcloud releases GDPR Compliance kit for on-premises collaboration solution.
- How to get list that has all valid domains that will be used by all applications in Nextcloud?
- How to limit/control usage of 3rd party services Centrally?
- How to Prepare List for Legal Notice?