The "Referrer-Policy" HTTP header is not set to "no-referrer"

Schmu · December 13, 2018, 10:58am

Hello everyone,

I just wanted to post an update and let you know that the “unsafe-eval” Content Security Policy has been removed in NC15. So right now we can even receive an A+ at securityheaders.com

If you want to run a more complete test, I even suggest to go to:
https://observatory.mozilla.org/

It has a more detailed overview for CSP as well.
In case you wonder about a few missing CSP entries for your server, I reported that at Github already:

github.com/nextcloud/server

[CSP] certain policies are not set at all - frame-src, worker-src, frame-ancestors

opened 11:58PM - 12 Dec 18 UTC

Schmuuu

enhancement 1. to develop security

When scanning my NC server with: https://observatory.mozilla.org I notice th…at a few (many?) CSPs are not set at all, although they can be found in the source code. I noticed this phenomenon in NC14 already but thought, due to the planned rework of CSP with NC15, this might get "corrected" in this latest release. After a fresh upgrade to NC15 the above-mentioned site still reports some policies missing. The output is: ------------ **Content-Security-Policy:** default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-ZS [...] D0=';style-src 'self' 'unsafe-inline' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self' ;media-src 'self' blob:;child-src 'self'; ----------- The policies missing, although mentioned in the PHP file `nextcloud/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php`: - worker-src - frame-ancestors - frame-src What could be added by this opportunity is: - form-action I ran some tests by manipulating the PHP file `nextcloud/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php` and added "else" blocks to all the missing policies, like in this example ("if" block is standard, "else" was added by me): ``` if(!empty($this->allowedFrameAncestors)) { $policy .= 'frame-ancestors ' . implode(' ', $this->allowedFrameAncestors); $policy .= ';'; } else { $policy .= "frame-ancestors 'self';"; } ``` Due to this change, the site reports: ---------- **Content-Security-Policy:** default-src 'none';base-uri 'none';manifest-src 'self';form-action 'self';script-src 'nonce-ZS-[...]-D0=';style-src 'self' 'unsafe-inline' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self' ;media-src 'self' blob:; **frame-src 'self' https://office.mydomain.tld https://www.draw.io;** child-src 'self'; **frame-ancestors 'self';worker-src 'self'** ----------- I know it's a dirty hack right now, but I don't understand the code enough to correctly fix that. However, it works that way. I ran all NC14.0.x release with this or similar changes in that file without any issues or limitations. ### Steps to reproduce 1. Run the test of https://observatory.mozilla.org against an NC15 server 2. look out for the raw Content-Security-Policy response ### Expected behaviour All the policies appear in that CSP response ### Actual behaviour These policies are missing completely, so the CSP is not as strict as probably intended. ### Server configuration **Operating system**: ArchLinux 4.14.87-1-lts **Web server:** nginx 1.14.2 **Database:** 10.1.37-MariaDB **PHP version:** 7.2.13 **Nextcloud version:** NC 15.0.0.10 **Updated from an older Nextcloud/ownCloud or fresh install:** Updated via web updater from NC14.0.4 **Where did you install Nextcloud from:** NC internal web updater **Signing status:** <details> <summary>Signing status</summary> ``` No errors have been found. ``` </details> **List of activated apps:** <details> <summary>App list</summary> ``` Enabled: - accessibility: 1.1.0 - activity: 2.8.2 - admin_audit: 1.5.0 - announcementcenter: 3.4.0 - apporder: 0.6.0 - audioplayer: 2.4.1 - bookmarks: 0.14.3 - bruteforcesettings: 1.2.0 - calendar: 1.6.4 - cloud_federation_api: 0.1.0 - comments: 1.5.0 - contacts: 2.1.8 - dav: 1.8.0 - deck: 0.5.1 - dropit: 0.1.3 - event_update_notification: 0.3.1 - external: 3.2.0 - federatedfilesharing: 1.5.0 - federation: 1.5.0 - files: 1.10.0 - files_accesscontrol: 1.5.0 - files_automatedtagging: 1.5.0 - files_downloadactivity: 1.4.0 - files_external: 1.6.0 - files_markdown: 2.0.5 - files_pdfviewer: 1.4.0 - files_retention: 1.4.0 - files_sharing: 1.7.0 - files_texteditor: 2.7.0 - files_trashbin: 1.5.0 - files_versions: 1.8.0 - files_videoplayer: 1.4.0 - firstrunwizard: 2.4.0 - gallery: 18.2.0 - logreader: 2.0.0 - lookup_server_connector: 1.3.0 - mail: 0.11.0 - metadata: 0.8.0 - nextcloud_announcements: 1.4.0 - notes: 2.5.1 - notifications: 2.3.0 - oauth2: 1.3.0 - ojsxc: 3.4.3 - onlyoffice: 2.1.2 - password_policy: 1.5.0 - previewgenerator: 2.0.0 - provisioning_api: 1.5.0 - quota_warning: 1.4.0 - ransomware_protection: 1.3.0 - serverinfo: 1.5.0 - sharebymail: 1.5.0 - sharerenamer: 2.3.0 - spreed: 4.99.0 - support: 1.0.0 - systemtags: 1.5.0 - tasks: 0.9.8 - telephoneprovider: 1.0.2 - theming: 1.6.0 - twofactor_backupcodes: 1.4.1 - twofactor_totp: 2.1.0 - updatenotification: 1.5.0 - workflowengine: 1.5.0 Disabled: - camerarawpreviews - checksum - circles - cms_pico - dashboard - dicomviewer - drawio - encryption - files_mindmap - files_reader - files_rightclick - issuetemplate - polls - ransomware_detection - socialsharing_email - survey_client - user_external - user_ldap - user_usage_report ``` </details> **Nextcloud configuration:** <details> <summary>Config report</summary> ``` { "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "cloud.mydomain.tld", "192.168.1.100", "localhost" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "version": "15.0.0.10", "logtimezone": "Europe\/Berlin", "appstore.experimental.enabled": true, "appstoreenabled": true, "appstoreurl": "https:\/\/api.nextcloud.com\/v1", "appcodechecker": true, "apps_paths": [ { "path": "\/var\/www\/nextcloud\/apps", "url": "\/apps", "writable": true } ], "mail_smtpmode": "smtp", "mail_smtpauth": 1, "mail_smtpport": "587", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpauthtype": "LOGIN", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpsecure": "tls", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "preview_libreoffice_path": "\/usr\/bin\/libreoffice", "enabledPreviewProviders": [ "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\BMP", "OC\\Preview\\XBitmap", "OC\\Preview\\MP3", "OC\\Preview\\TXT", "OC\\Preview\\MarkDown", "OC\\Preview\\TIFF", "OCA\\CameraRawPreviews\\RawPreview", "OCA\\CameraRawPreviews\\IndesignPreview", "OC\\Preview\\Movie", "OC\\Preview\\Photoshop" ], "filelocking.enabled": true, "memcache.local": "\\OC\\Memcache\\APCu", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 0, "timeout": 0, "password": "***REMOVED SENSITIVE VALUE***" }, "maintenance": false, "updater.server.url": "https:\/\/updates.nextcloud.com\/updater_server\/", "updater.release.channel": "stable", "loglevel": 2, "theme": "", "installed": true, "overwrite.cli.url": "https:\/\/cloud.mydomain.tld", "defaultapp": "apporder", "updater.secret": "***REMOVED SENSITIVE VALUE***" } } ``` </details> **Are you using external storage, if yes which one:** in OS mounted smb share via CIFS as additional external drive. All user data are on internal storage, however. **Are you using encryption:** no **Are you using an external user-backend, if yes which one:** no ### Logs Not applicable as the server runs perfectly fine. There are no error messages that might be related.

With my configuration changes I reached a score of 120/100

The current maximum possible score is 135 out of 100.

So 15 points still missing to the absolute maximum, but “unsafe-inline” for style-src policy is still lowering the score.
I think I read somewhere, that style-src “unsafe-inline” comes from certain apps which haven’t been updated to the new NC directives. So this will be improved in the feature in any case.