Nextcloud 13.0.4 doesn't work with Chrome and Firefox. Works only with IE

SebOOl84 · June 28, 2018, 9:27pm

Support intro

Hi
I m trying to get Nextcloud running on my home server and I have issues with it.
It works only with IE but not with Chrome or Firefox.
It seems that there are some JavaScript errors. Chrome console throws out about 13 errors and your app is not reacting for any clicks. After installaion done using IE it is not possible to login to the application using Chrome or Firefox. It works only with IE.
During the installation all the tabs are open and it is not possible to choose MySQL as a backend. No reaction for clicks.
I am running Nextcloud over SSL.
Is this some known issue/bug?

Nextcloud version: 13.0.4
Operating system and version : CentOS 7
Apache or nginx version : Apache 2.4 .6
PHP version : 7.2

The issue you are facing: JavaScript issues in Chrome and Firefox.

Is this the first time you’ve seen this error? : Y

Steps to replicate it:

Just try to install next cloud using Chrome or Firefox or if it is installed try to login to it.

The output of your Nextcloud log in Admin > Logging:

EMPTY

The output of the Chrome Console:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-smxT+noUKbEdRMGc23mCkimSVHqN/TV+7Qzq05u1VYk='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

login:85 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-VWkG3rR92tqWKwxTi7FGCwo0s3+n19OMWDS2+QN0eiU='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

login:110 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-biLFinpqYMtWHmXfkA1BPeCY0/fNt46SAZ+BBk5YUog='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

login:123 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

core.js?v=cffca80e-6:7 JQMIGRATE: Migrate is installed, version 1.4.0
core.js?v=cffca80e-6:5958 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'".


    at Function (<anonymous>)
    at o (core.js?v=cffca80e-6:5958)
    at r (core.js?v=cffca80e-6:5958)
    at core.js?v=cffca80e-6:5958
    at core.js?v=cffca80e-6:5958
    at core.js?v=cffca80e-6:5958
merged-template-prepend.js?v=cffca80e-6:4880 Uncaught ReferenceError: Select2 is not defined
    at merged-template-prepend.js?v=cffca80e-6:4880
merged-template-prepend.js?v=cffca80e-6:3774 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'".


    at new Function (<anonymous>)
    at Object._generatePluralFunction (merged-template-prepend.js?v=cffca80e-6:3774)
    at Object.register (merged-template-prepend.js?v=cffca80e-6:3726)
    at pl.js?v=cffca80e-6:1
merged-share-backend.js?v=cffca80e-6:24 Uncaught ReferenceError: oc_appconfig is not defined
    at merged-share-backend.js?v=cffca80e-6:24
    at merged-share-backend.js?v=cffca80e-6:80
merged-template-prepend.js?v=cffca80e-6:1433 Uncaught TypeError: Cannot read property 'substring' of undefined
    at Object.filePath (merged-template-prepend.js?v=cffca80e-6:1433)
    at viewer.js?v=cffca80e-6:15
merged-template-prepend.js?v=cffca80e-6:3774 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'".


    at new Function (<anonymous>)
    at Object._generatePluralFunction (merged-template-prepend.js?v=cffca80e-6:3774)
    at Object.register (merged-template-prepend.js?v=cffca80e-6:3726)
    at pl.js?v=cffca80e-6:1
merged-template-prepend.js?v=cffca80e-6:3827 Uncaught ReferenceError: DOMPurify is not defined
    at Object.translate (merged-template-prepend.js?v=cffca80e-6:3827)
    at contactsmenu.js?v=cffca80e-6:29
    at contactsmenu.js?v=cffca80e-6:538
merged-template-prepend.js?v=cffca80e-6:3827 Uncaught ReferenceError: DOMPurify is not defined
    at Object.translate (merged-template-prepend.js?v=cffca80e-6:3827)
    at merged-login.js?v=cffca80e-6:17
merged-template-prepend.js?v=cffca80e-6:2722 Uncaught TypeError: OC.ContactsMenu is not a constructor
    at setupContactsMenu (merged-template-prepend.js?v=cffca80e-6:2722)
    at HTMLDocument.initCore (merged-template-prepend.js?v=cffca80e-6:2730)
    at j (core.js?v=cffca80e-6:2)
    at Object.fireWith [as resolveWith] (core.js?v=cffca80e-6:2)
    at Function.ready (core.js?v=cffca80e-6:2)
    at HTMLDocument.I (core.js?v=cffca80e-6:2)

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):


<?php
$CONFIG = array (
  'instanceid' => '<ID>',
  'passwordsalt' => '<SALT>',
  'secret' => '<SECRET>',
  'trusted_domains' =>
  array (
    0 => '<MYDOMAIN>',
  ),
  'datadirectory' => '<DATA-DIR>',
  'overwrite.cli.url' => 'https://<MYDOMAIN>',
  'dbtype' => 'mysql',
  'version' => '13.0.4.0',
  'dbname' => '<DBNAME>',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => '<USER>,
  'dbpassword' => '<PASS>',
  'installed' => true,
);

The output of your Apache/nginx/system log in /var/log/____:

192.168.1.57 - - [28/Jun/2018:23:19:29 +0200] "GET / HTTP/1.1" 302 -
192.168.1.57 - - [28/Jun/2018:23:19:30 +0200] "GET /index.php/login HTTP/1.1" 200 11313
192.168.1.57 - - [28/Jun/2018:23:19:30 +0200] "GET /index.php/apps/theming/logo?v=6 HTTP/1.1" 200 146898
192.168.1.57 - - [28/Jun/2018:23:19:30 +0200] "GET /index.php/apps/theming/loginbackground?v=6 HTTP/1.1" 200 187943
192.168.1.57 - - [28/Jun/2018:23:19:30 +0200] "GET /index.php/apps/theming/js/theming?v=6 HTTP/1.1" 200 203
192.168.1.57 - - [28/Jun/2018:23:19:30 +0200] "GET /index.php/apps/theming/favicon?v=6 HTTP/1.1" 200 90022
192.168.1.57 - - [28/Jun/2018:23:19:35 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 74
192.168.1.57 - - [28/Jun/2018:23:19:44 +0200] "GET /status.php HTTP/1.1" 400 278

Schmu · June 28, 2018, 9:43pm

Works perfectly fine

tflidd · June 29, 2018, 8:16am

My CSP-header on NC 13 look like this:

default-src 'none';
base-uri 'none';
manifest-src 'self';
script-src 'self' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: blob:;
font-src 'self';
connect-src 'self';
media-src 'self'

Your policy seems to be a bit different judging from the chrome errors. Is your webserver forcing a setting by default? If you use theming, you don’t include external sources (for logo, css, …). Other idea could be an app, is there something “exotic” (not used by many people) you use?

stratege1401 · June 29, 2018, 8:26am

Possibility one you miss a dependency in your Linux.
I am not home, run in this troubles before… I kept trace of soluce but I need to dig to find it.

Possibility 2, your mime-type is misconfigured

SebOOl84 · June 29, 2018, 10:14am

This is a fresh install of Nexcloud so I do not use theming or anything more.
It works perfectly fine using IE but not with latest Chrome or Firefox so I think the server setup is ok.
The issue is more related to JavaScript.
I don’t use any fancy features, just mod_ruid2, mod_ssl and more or less that is it.
I’ve tested it using 4 PCs from different locations including totally clean one with no extensions, antivirus software etc. and it is the same.

After installation done using IE login button doesn’t work in Chrome or Firefox but all works fine with IE.

stratege1401 · June 29, 2018, 12:29pm

just back home.

Last time i encounter strange behaviors like this was link to libapache2-mod-php been mix-up.

Try to reinstall it.

Schmu · June 29, 2018, 1:17pm

Well, the error message clearly states that content is blocked due to too strict Content Security Policies. I suggest you read your CSP headers and compare with the CSP settings, that @tflidd posted. To check your headers you could use:

To have us have a look you can paste the CSP header output here.

Probably it is these two policies blocking the site:

script-src 'self' 'unsafe-eval';
style-src 'self' 'unsafe-inline';

I furthermore suggest checking your apache config, if you tried to “harden” your server with stricter rules and defined for example “style-src” to be only “self”.

SebOOl84 · July 4, 2018, 9:38pm

Thank you Schumu for pointing me the right direction.
I solved the problem.
It is true that I hardened my server with following values:

#
# Apache Content-Security-Policy Header
#
 Header set Content-Security-Policy "default-src 'self';"
#
# HTTPS Strict Transport Security
#
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

I have added following lines to me VirtualHost block and it started to work just fine:

Header set Content-Security-Policy "default-src 'self';"
Header set Content-Security-Policy "style-src 'self' 'unsafe-inline';"

Thank you again