I need to update nextcloud’s CSP default settings to allow form-action submission from sub-domains such as login.site.com, app.site.com and so on. Nextcloud is hosted as cloud.site.com.
Using latest nextcloud from docker hub (nextcloud:fpm).
Also using vouch to provide OAuth2.0 to protected App. Users are authenticated by nextcloud.
Chrome Error message:
Refused to send form data to 'https://login.XXXX.com.au/'
because it violates the following Content Security Policy directive:
https://cloud.XXXX.com.au/login/flow/grant?stateToken=XXX&clientIdentifier=XXX&oauthState=XXX
"form-action 'self' https://app.XXXX.com.au/".
Current nextclud form-action is restricted to self. I think that doesnt allow using nextcloud as SSO server unless hosted on the same host.
my vouch is on a sub-host and I think that is my problem.
Adding something like “*.site.com” might solve my problem.