Webdav not working - Content Security Policy blocks HTTP

Nextcloud version: 18.0.3
Operating system and version: Armbian Buster
Apache version: 2.4.38
PHP version: 7.3

I installed Nextcloud and it’s working wonderfully for now except for a considerable detail: I cannot use webdav. The overview says

Your web server is not properly set up to resolve “/.well-known/caldav”.

Although .htaccess is being read correctly. In fact, I think the problem is linked to this error message I get in Firefox console:

Content Security Policy: The page’s settings blocked the loading of a resource at http://domain.me/remote.php/dav/ (“connect-src”).

I searched a bit but in my case this issue is not related to any reverse proxy, my Apache server is directly serving Nextcloud using php-fpm. Plus, I set 'overwriteprotocol' => 'https' to no avail.

Here’s my config.php file:

$CONFIG = array (
  'instanceid' => 'blah',
  'passwordsalt' => 'blah',
  'secret' => 'blah',
  'trusted_domains' => 
  array (
    0 => 'domain.me',
  ),
  'datadirectory' => '/media/extData/ncdata',
  'dbtype' => 'mysql',
  'version' => '18.0.3.0',
  'overwrite.cli.url' => 'https://domain.me/',
  'overwriteprotocol' => 'https',
  'htaccess.RewriteBase' => '/',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'oc_fabio',
  'dbpassword' => 'blah',
  'installed' => true,

  'filelocking.enabled' => true,
  'memcache.local' => '\OC\Memcache\Redis',
  'memcache.locking' => '\OC\Memcache\Redis',
  'redis' => array(
       'host' => '/var/run/redis/redis-server.sock',
       'port' => 0,
       'timeout' => 0.0,
        ),
);

My “root” VirtualHost:

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on
                SSLCertificateFile      /etc/letsencrypt/live/domain.me/fullchain.pem
                SSLCertificateKeyFile   /etc/letsencrypt/live/domain.me/privkey.pem

                <IfModule mod_http2.c>
                        Protocols h2 http/1.1
                </IfModule>

                <IfModule mod_headers.c>
                        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
                </IfModule>

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
        </VirtualHost>
</IfModule>

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

And my Nextcloud VirtualHost:

<VirtualHost _default_:80>
        ServerName domain.me
        DocumentRoot /var/www/nextcloud
        Redirect permanent / https://domain.me/
</VirtualHost>

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerName domain.me
                DocumentRoot /var/www/nextcloud
                <Directory /var/www/nextcloud/>
                        Require all granted
                        AllowOverride All
                        Options FollowSymLinks MultiViews
                        <IfModule mod_dav.c>
                                Dav off
                        </IfModule>
                        <IfModule mod_headers.c>
                                # This is necessary because nextcloud's .htaccess overwrites
                                # the global HSTS header. We must repeat the directive here.
                                Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
                        </IfModule>
                </Directory>
        </VirtualHost>
</IfModule>

Do know have any clue on where my problem resides?

No one can help me?

Hello,

i am stuck on a similar of content security policy but me i’m behind a reverse proxy. For you that are not it must be more simple can you make this command

curl -I https://[your domain] and share the result? Normally nextcloud set header content security policy so we first have to look at your headers