[Bug]: Content Security Policy (CSP) Error for preview-service-worker.js

[Xyaren]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Chrome Browser Console throws error:

Refused to create a worker from 'https://nextcloud.mydomain.de/index.php/apps/files/preview-service-worker.js' because it violates the following Content Security Policy directive: "script-src 'nonce-aFNJRWFwcklWUlMvTVM5WDZxdnBtOEtyeWh4OVpzbHBGckh3NkpGeHk4OD06L0c1OEJOU0RiRk9IYVg1OGpzN2NycnZoa2xrZU51WWhmY216M3ZNMHVKaz0='". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

ConsoleLogger.js:59 [ERROR] files: SW registration failed:  
{
  "app": "files",
  "error": "DOMException: Failed to register a ServiceWorker: The provided scriptURL ('https://nextcloud.mydomain.de/index.php/apps/files/preview-service-worker.js') violates the Content Security Policy.",
  "code": 18,
  "message": "Failed to register a ServiceWorker: The provided scriptURL ('https://nextcloud.mydomain.de/index.php/apps/files/preview-service-worker.js') violates the Content Security Policy.",
  "name": "SecurityError",
  "level": 2,
  "uid": "tobi"
}

CSP Header value:
default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-UTBDelpjMTN0ZUZoOWtHZzROL0ZSUUNNcDVUVi9ZT1ArT21NeUUyU1hGOD06T2d6TEM0TThqS1pacmhDTGhMcndjSG5HLzlHMnJhekhrNUhQL2kvWEx3az0=';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' https://nominatim.openstreetmap.org/;media-src 'self';frame-src https://www.openstreetmap.org/ 'self';frame-ancestors 'self';form-action 'self'

Steps to reproduce

1. Open homepage of nextcloud
2. Observe error in console

Expected behavior

I expect no errors to appear in the console when navigating to nextcloud

Installation method

Community Docker image

Nextcloud Server version

27

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Nginx

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": 465,
        "mail_smtpsecure": "ssl",
        "mail_smtpauth": true,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.mydomain.de",
            "web"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "27.0.1.2",
        "overwrite.cli.url": "http:\/\/localhost",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "nc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "loglevel": 2,
        "theme": "",
        "updater.release.channel": "stable",
        "app_install_overwrite": [
            "camerarawpreviews",
            "files_external_gdrive",
            "files_external_onedrive",
            "social",
            "metadata"
        ],
        "default_phone_region": "DE",
        "memories.exiftool": "\/var\/www\/html\/custom_apps\/memories\/exiftool-bin\/exiftool-amd64-musl",
        "memories.vod.path": "\/var\/www\/html\/custom_apps\/memories\/exiftool-bin\/go-vod-amd64",
        "memories.index.mode": "3",
        "memories.index.path": "\/Media\/Fotos",
        "memories.gis_type": 1,
        "enabledPreviewProviders": [
            "OC\\Preview\\Image",
            "OC\\Preview\\Movie",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\TIFF"
        ],
        "preview_max_x": 1024,
        "preview_max_y": 1024
    }
}

List of activated Apps

Enabled:
  - activity: 2.19.0
  - admin_audit: 1.17.0
  - audioplayer: 3.4.0
  - bruteforcesettings: 2.7.0
  - camerarawpreviews: 0.8.2
  - circles: 27.0.1
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - contactsinteraction: 1.8.0
  - dav: 1.27.0
  - federatedfilesharing: 1.17.0
  - federation: 1.17.0
  - files: 1.22.0
  - files_antivirus: 5.2.1
  - files_automatedtagging: 1.17.0
  - files_external: 1.19.0
  - files_pdfviewer: 2.8.0
  - files_retention: 1.16.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - firstrunwizard: 2.16.0
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - memories: 5.2.1
  - metadata: 0.19.0
  - nextcloud_announcements: 1.16.0
  - notifications: 2.15.0
  - oauth2: 1.15.1
  - password_policy: 1.17.0
  - previewgenerator: 5.3.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - quota_warning: 1.17.0
  - recommendations: 1.6.0
  - related_resources: 1.2.0
  - serverinfo: 1.17.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - sociallogin: 5.4.3
  - support: 1.10.0
  - survey_client: 1.15.0
  - suspicious_login: 5.0.0
  - systemtags: 1.17.0
  - theming: 2.2.0
  - twofactor_backupcodes: 1.16.0
  - user_status: 1.7.0
  - viewer: 2.1.0
  - workflowengine: 2.9.0
Disabled:
  - breezedark: 26.0.0 (installed 26.0.0)
  - calendar: 4.4.4 (installed 4.4.4)
  - contacts: 5.3.2 (installed 5.3.2)
  - dashboard: 7.7.0 (installed 7.7.0)
  - encryption: 2.15.0
  - photos: 2.3.0 (installed 2.3.0)
  - text: 3.8.0 (installed 3.8.0)
  - twofactor_totp: 9.0.0
  - updatenotification: 1.17.0 (installed 1.17.0)
  - user_ldap: 1.17.0
  - weather_status: 1.7.0 (installed 1.7.0)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No response

Additional info

No response

[joshtrichards]

Hi @Xyaren - Thanks for the report! After some digging, I've managed to reproduced this.

Before I get into that, note that preview-service-worker.js not loading doesn't break anything - it just means you lose out on a recently added preview speed optimization. Without it, your session just falls back to the previous behavior.

So the bug: This doesn't happen in all installations, but can under circumstances where certain apps aren't installed. For example, it's easy to reproduce if one disables or doesn't install the Talk app and also happens to not have any other qualifying apps installed (others like maps would likely qualify from my code searches). The cause is because the default NC CSP headers end up being insufficient to load the preview-service-worker. But some apps expand the CSP headers a bit - coincidentally just enough to support the preview-service-worker! The Talk app does this, for example.

Lacking one of these apps mean the worker-src blob: 'self'; parameter doesn't get appended to the CSP header.

Having just one of any of the apps enabled that happen to append worker-src, hides this bug.

Funnily enough I think this nearly got noticed in early testing twice (see #36534 (comment) and #38219), but since self-signed certs were also involved that was the presumptive only culprit.

[szaimen]

cc @skjnldsv

[Xyaren]

Well I've got quite a history of running into "weird" issues, so this fits my profile.
I'm glad I could help contributing to finding out the cause.

[skjnldsv]

Needs

server/apps/files/lib/Controller/ViewController.php

Lines 236 to 237 in 912abce

	// Allow preview service worker
	$policy->addAllowedWorkerSrcDomain('\'self\'');

[SuperSandro2000]

Shouldn't 3344f0f be backported to at least 27 to fix this in the current release?

[SuperSandro2000]

I created #41004 to backport this fix