Stuck again on login screen - Content Security Policy violation

I’m trying to use NextCloud 23.0.0 using the official Docker image. I re-installed NC on Friday and was able to successfully login until yesterday (Sunday) evening. Posting in the Installation category, as it seems that I’m doing something wrong at the installation; Nextcloud doesn’t work in a stable way after installation.

When I now try to login, I seem to be stuck on the login screen. The browser console shows the following issue:

Refused to send form data to 'https://nc.5y5.one/login' because it violates the following Content Security Policy directive: "form-action 'self' https://nc.5y5.one".

Between yesterday evening and now, I haven’t changed anything at all (was sleeping :wink: ). I’m having the issue with numerous browsers, so it’s also not related to my browser.

On https://gf.dev/csp-test I’m seeing the following Content-Security-Policy header:

default-src 'none';
base-uri 'none';
manifest-src 'self';
script-src 'nonce-bnprdU1xc1JTQXpHaXpvZS9SMUhnME9KWFZsSlNHbEcra1p1R2JyaUdSYz06cmxWWFh2MGlCMytmODNoUGgxb2Y5RFA4RjJzbEVUQWNtUW9qVm9PeWJIOD0=' blob:;
style-src 'self' 'unsafe-inline';
img-src 'self' data: blob: https://*.tile.openstreetmap.org;
font-src 'self' data:;
connect-src 'self' blob: stun.nextcloud.com:443;
media-src 'self' blob:;
frame-src 'self' https://nc.5y5.one;
child-src blob: 'self';
frame-ancestors 'self';
worker-src 'self' blob:;
form-action 'self' https://nc.5y5.one

According to the error message in the browser console, the issue is with the “form-action” part of the content-security-policy header: form-action 'self' https://nc.5y5.one.

If the login is on https://nc.5y5.one/ (or https://nc.5y5.one/login), what would be the correct value? form-action 'self' https://nc.5y5.one is the default.

cd lib/public/AppFramework/Http/
cp  ContentSecurityPolicy.php ContentSecurityPolicy.php.bak
vim ContentSecurityPolicy.php

edit this line:

protected $allowedFormActionDomains = [
                '\'self\'',
                'cloud.domain.com',
        ];

This solvled my policy issue.