Web gui stops working after hardening Content-Security-Policy in Apache

ℹ️ Support
1

Nextcloud version (eg, 20.0.5): 19.0.1
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04.1
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.41
PHP version (eg, 7.4): 7.4

The issue you are facing:

I have “hardened” my Apache server recently. In particular I added the following
CSP settings in 000-default-le-ssl.conf:

	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	Header set Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';"
	Header set X-Frame-Options "DENY"
	Header set X-XSS-Protection "1; mode=block"
	Header set X-Content-Type-Options "nosniff"

I can still access Nextcloud with a MacOS client, but login over the Web GUI
stopped working: No CSS, I just see a “Nextcloud” link.

I had similar problems with Roundcube that runs on the same server.
That could be fixed by modifying certain CSP settings in its setup.
My question is: obviously what I set in the Content-Security-Policy header is “too strict”. Which settings do I have to override in .../nextcloud/.htaccess to make the web GUI work again? I experimented with this (it worked with RoundCube):

Header unset Content-Security-Policy
Header always set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'"

but that led to many files being locked in the DB and client syncing stopped. The Nextcloud log contained some horrible messages about the DB “going away”…

Is this the first time you’ve seen this error? (Y/N): Y

The output of your Nextcloud log in Admin > Logging:

{"reqId":"W2beO4PB8ym9IOdbxsbu","level":3,"time":"2021-01-24T16:14:58+00:00","remoteAddr":"2a02:8388:4205:5080:2d0b:2d9b:2741:9fd6","user":"andras","app":"PHP","method":"GET","url":"/nextcloud/ocs/v2.php/apps/notifications/api/v2/notifications","message":"Doctrine\\DBAL\\Exception\\DriverException: An exception occurred while executing 'UPDATE `oc_authtoken` SET `last_check` = ?, `last_activity` = ? WHERE `id` = ?' with params [1611504897, 1611504898, 3162]:\n\nSQLSTATE[HY000]: General error: 2006 MySQL server has gone away at /var/www/html/nextcloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Driver/AbstractMySQLDriver.php#106","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.2 Safari/605.1.15","version":"19.0.1.1"}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'instanceid' => 'XXXXX',
  'passwordsalt' => 'XXX',
  'secret' => 'XXX',
  'trusted_domains' =>
  array (
    0 => 'my.domain',
  ),
  'datadirectory' => '/var/www/html/nextcloud/data',
  'overwrite.cli.url' => 'https://my.domain/nextcloud',
  'dbtype' => 'mysql',
  'version' => '19.0.1.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'XXXXXX',
  'installed' => true,
  'maintenance' => false,
  'loglevel' => 2,
);

The output of your Apache/nginx/system log in /var/log/____:

PHP Fatal error:  Uncaught PDOException: SQLSTATE[HY000]: General error: 2006 MySQL server has gone away in /var/www/html/nextcloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Driver/PDOStatement.php:117\nStack trace:\n#0 /var/www/html/nextcloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Driver/PDOStatement.php(117): PDOStatement->execute()\n#1 /var/www/html/nextcloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Connection.php(1054): Doctrine\\DBAL\\Driver\\PDOStatement->execute()\n#2 /var/www/html/nextcloud/lib/private/DB/Connection.php(214): Doctrine\\DBAL\\Connection->executeUpdate()\n#3 /var/www/html/nextcloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Query/QueryBuilder.php(203): OC\\DB\\Connection->executeUpdate()\n#4 /var/www/html/nextcloud/lib/private/DB/QueryBuilder/QueryBuilder.php(216): Doctrine\\DBAL\\Query\\QueryBuilder->execute()\n#5 /var/www/html/nextcloud/lib/private/Lock/DBLockingProvider.php(316): OC\\DB\\QueryBuilder\\QueryBuilder->execute()\n#6 [internal function]: OC\\Lock\\DBLockingProvider->releaseAll()\n#7 {main}\n\nNext Doctrine\\DBAL\\Driv in /var/www/html/nextcloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Driver/AbstractMySQLDriver.php on line 106