Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP blocking nextcloud image and logo on NC12 #5147

Closed
kevinkk525 opened this issue May 28, 2017 · 1 comment
Closed

CSP blocking nextcloud image and logo on NC12 #5147

kevinkk525 opened this issue May 28, 2017 · 1 comment

Comments

@kevinkk525
Copy link

Steps to reproduce

  1. Install Nextcloud 12 on a local vm
  2. configure from local network
  3. assign external domain to vm
  4. access from external domain

Expected behaviour

should work in the same way as accessing from local network

Actual behaviour

when accessing from HOSTNAME everything is ok,
when accessing from DOMAIN.de login is shown and everything is working but background image and logo are missing
Firefox and Chrome webconsole show error:
Refused to load the image 'https://droidserver/core/img/logo.svg?v=0' because it violates the following Content Security Policy directive: "img-src 'self' data: blob:". Refused to load the image 'https://droidserver/core/img/background.jpg?v=0' because it violates the following Content Security Policy directive: "img-src 'self' data: blob:".

As I have not seen this issue before it is probably some misconfiguration. I just don't know where as I'm using the official nginx configuration from https://docs.nextcloud.com/server/12/admin_manual/installation/nginx.html . I just added some extras for logging and disabled gzip, nothing about CSP.

Server configuration

Operating system: Ubuntu 16.04

Web server: nginx 1.10.0
server {
listen 80;
server_name kevin-köck.de www.kevin-köck.de xn--kevin-kck-67a.de www.xn--kevin-kck-67a.de;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name kevin-köck.de www.kevin-köck.de xn--kevin-kck-67a.de www.xn--kevin-kck-67a.de;
root /var/www/nextcloud;

ssl on;
ssl_certificate     /etc/letsencrypt/live/xn--kevin-kck-67a.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xn--kevin-kck-67a.de/privkey.pem;
ssl_session_timeout 5m;
ssl_ciphers               'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

add_header X-Content-Type-Options nosniff;
#add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;

access_log  /var/log/nginx/nextcloud.access.log;
error_log   /var/log/nginx/nextcloud.error.log;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

location = /.well-known/carddav { 
    return 301 $scheme://$host/remote.php/dav; 
}
location = /.well-known/caldav { 
    return 301 $scheme://$host/remote.php/dav; 
}

client_max_body_size 512M;
fastcgi_buffers 64 4K;
gzip off;

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location / {
    rewrite ^ /index.php$uri;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
    deny all;
}

location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
}

location ~^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
    include fastcgi_params;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param HTTPS on;
    #Avoid sending the security headers twice
    fastcgi_param modHeadersAvailable true;
    fastcgi_param front_controller_active true;
    fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
    try_files $uri/ =404;
    index index.php;
}

location ~* \.(?:css|js)$ {
    try_files $uri /index.php$uri$is_args$args;
    add_header Cache-Control "public, max-age=7200";
    add_header X-Content-Type-Options nosniff;
    #add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Optional: Don't log access to assets
    access_log off;
}

location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
    try_files $uri /index.php$uri$is_args$args;
    access_log off;
}

Database: mariadb

PHP version: 7.1.5 / 7.0

Nextcloud version: 12.0.0.29

Updated from an older Nextcloud/ownCloud or fresh install: fresh install

Where did you install Nextcloud from: official zip

Signing status: No errors have been found.

Signing status 
Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

List of activated apps:

  • activity: 2.5.2
  • bruteforcesettings: 1.0.2
  • calendar: 1.5.3
  • circles: 0.10.0
  • comments: 1.2.0
  • contacts: 1.5.3
  • dav: 1.3.0
  • deck: 0.1.4
  • external: 2.0.3
  • federatedfilesharing: 1.2.0
  • federation: 1.2.0
  • files: 1.7.2
  • files_external: 1.3.0
  • files_pdfviewer: 1.1.1
  • files_sharing: 1.4.0
  • files_texteditor: 2.4.1
  • files_trashbin: 1.2.0
  • files_versions: 1.5.0
  • files_videoplayer: 1.1.0
  • firstrunwizard: 2.1
  • gallery: 17.0.0
  • gpxedit: 0.0.6
  • gpxpod: 2.1.2
  • keeweb: 0.4.0
  • logreader: 2.0.0
  • lookup_server_connector: 1.0.0
  • nextant: 1.0.8
  • nextcloud_announcements: 1.1
  • notifications: 2.0.0
  • oauth2: 1.0.5
  • password_policy: 1.2.2
  • provisioning_api: 1.2.0
  • richdocuments: 1.12.31
  • serverinfo: 1.2.0
  • sharebymail: 1.2.0
  • spreed: 2.0.1
  • survey_client: 1.0.0
  • systemtags: 1.2.0
  • tasks: 0.9.5
  • theming: 1.3.0
  • twofactor_backupcodes: 1.1.1
  • updatenotification: 1.2.0
  • workflowengine: 1.2.0
    Disabled:
  • admin_audit
  • encryption
  • user_external
  • user_ldap
App list 
If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Nextcloud configuration:
{
"system": {
"instanceid": "ocr7z84e70jc",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"www.xn--kevin-kck-67a.de",
"droidserver",
"192.168.178.95",
"xn--kevin-kck-67a.de"
],
"datadirectory": "/mnt/static/nextcloud_data/",
"overwrite.cli.url": "https://www.xn--kevin-kck-67a.de",
"dbtype": "mysql",
"version": "12.0.0.29",
"dbname": "nextcloud",
"dbhost": "localhost",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"updater.release.channel": "beta",
"memcache.local": "\OC\Memcache\Redis",
"memcache.distributed": "\OC\Memcache\Redis",
"memcache.locking": "\OC\Memcache\Redis",
"redis": {
"host": "localhost",
"port": 6379,
"timeout": 0
},
"log_rotation_size": 10485760,
"maintenance": false
},
"apps": {
"activity": {
"enabled": "yes",
"installed_version": "2.5.2",
"types": "filesystem"
},
"backgroundjob": {
"lastjob": "1"
},
"bruteForce": {
"whitelist_1": "192.168.178.0/24"
},
"bruteforcesettings": {
"enabled": "yes",
"installed_version": "1.0.2",
"types": ""
},
"calendar": {
"enabled": "yes",
"installed_version": "1.5.3",
"types": ""
},
"circles": {
"enabled": "yes",
"installed_version": "0.10.0",
"types": ""
},
"comments": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": "logging"
},
"contacts": {
"enabled": "yes",
"installed_version": "1.5.3",
"types": ""
},
"core": {
"backgroundjobs_mode": "cron",
"installed.bundles": "["CoreBundle"]",
"installedat": "1495561060.6384",
"lastcron": "1495983601",
"lastupdateResult": "[]",
"lastupdatedat": "1495983993",
"oc.integritycheck.checker": "[]",
"public_files": "files_sharing/public.php",
"public_webdav": "dav/appinfo/v1/publicwebdav.php",
"scss.variables": "c47874c98a616aedce04e65e32a4e69d",
"umgmt_show_backend": "true",
"umgmt_show_storage_location": "true",
"vendor": "nextcloud"
},
"dav": {
"enabled": "yes",
"installed_version": "1.3.0",
"types": "filesystem"
},
"deck": {
"enabled": "yes",
"installed_version": "0.1.4",
"types": ""
},
"external": {
"enabled": "yes",
"installed_version": "2.0.3",
"types": ""
},
"federatedfilesharing": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": ""
},
"federation": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": "authentication"
},
"files": {
"cronjob_scan_files": "500",
"enabled": "yes",
"installed_version": "1.7.2",
"types": "filesystem"
},
"files_external": {
"enabled": "yes",
"installed_version": "1.3.0",
"types": "filesystem"
},
"files_pdfviewer": {
"enabled": "yes",
"installed_version": "1.1.1",
"ocsid": "166049",
"types": ""
},
"files_sharing": {
"enabled": "yes",
"installed_version": "1.4.0",
"types": "filesystem"
},
"files_texteditor": {
"enabled": "yes",
"installed_version": "2.4.1",
"ocsid": "166051",
"types": ""
},
"files_trashbin": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": "filesystem"
},
"files_versions": {
"enabled": "yes",
"installed_version": "1.5.0",
"types": "filesystem"
},
"files_videoplayer": {
"enabled": "yes",
"installed_version": "1.1.0",
"types": ""
},
"firstrunwizard": {
"enabled": "yes",
"installed_version": "2.1",
"types": "logging"
},
"gallery": {
"enabled": "yes",
"installed_version": "17.0.0",
"types": ""
},
"gpxedit": {
"enabled": "yes",
"installed_version": "0.0.6",
"types": ""
},
"gpxpod": {
"enabled": "yes",
"installed_version": "2.1.2",
"types": ""
},
"keeweb": {
"enabled": "yes",
"installed_version": "0.4.0",
"types": ""
},
"logreader": {
"enabled": "yes",
"installed_version": "2.0.0",
"ocsid": "170871",
"types": ""
},
"lookup_server_connector": {
"enabled": "yes",
"installed_version": "1.0.0",
"types": "authentication"
},
"nextant": {
"enabled": "yes",
"installed_version": "1.0.8",
"types": "filesystem"
},
"nextcloud_announcements": {
"enabled": "yes",
"installed_version": "1.1",
"pub_date": "Sat, 10 Dec 2016 00:00:00 +0100",
"types": "logging"
},
"notifications": {
"enabled": "yes",
"installed_version": "2.0.0",
"types": "logging"
},
"oauth2": {
"enabled": "yes",
"installed_version": "1.0.5",
"types": "authentication"
},
"password_policy": {
"enabled": "yes",
"installed_version": "1.2.2",
"types": ""
},
"provisioning_api": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": "prevent_group_restriction"
},
"richdocuments": {
"enabled": "yes",
"installed_version": "1.12.31",
"types": "prevent_group_restriction"
},
"serverinfo": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": ""
},
"sharebymail": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": "filesystem"
},
"spreed": {
"enabled": "yes",
"installed_version": "2.0.1",
"types": "prevent_group_restriction"
},
"survey_client": {
"enabled": "yes",
"installed_version": "1.0.0",
"last_report": "{"id":"ocr7z84e70jc","items":[["server","version","12.0.0.29"],["server","code","other"],["server","enable_avatars","yes"],["server","enable_previews","yes"],["server","memcache.local","\\OC\\Memcache\\Redis"],["server","memcache.distributed","\\OC\\Memcache\\Redis"],["server","asset-pipeline.enabled","no"],["server","filelocking.enabled","yes"],["server","memcache.locking","\\OC\\Memcache\\Redis"],["server","debug","no"],["server","cron","cron"],["php","version","7.0.15"],["php","memory_limit",536870912],["php","max_execution_time",3600],["php","upload_max_filesize",4294967296],["database","type","mysql"],["database","version","10.0.29"],["database","size",42778624],["apps","activity","2.5.2"],["apps","bruteforcesettings","1.0.2"],["apps","calendar","1.5.3"],["apps","circles","0.10.0"],["apps","comments","1.2.0"],["apps","contacts","1.5.3"],["apps","dav","1.3.0"],["apps","deck","0.1.4"],["apps","external","2.0.2"],["apps","federatedfilesharing","1.2.0"],["apps","federation","1.2.0"],["apps","files","1.7.2"],["apps","files_external","1.3.0"],["apps","files_pdfviewer","1.1.1"],["apps","files_sharing","1.4.0"],["apps","files_texteditor","2.4.1"],["apps","files_trashbin","1.2.0"],["apps","files_versions","1.5.0"],["apps","files_videoplayer","1.1.0"],["apps","firstrunwizard","2.1"],["apps","gallery","17.0.0"],["apps","gpxedit","0.0.6"],["apps","gpxpod","2.1.2"],["apps","keeweb","0.4.0"],["apps","logreader","2.0.0"],["apps","lookup_server_connector","1.0.0"],["apps","nextant","1.0.8"],["apps","nextcloud_announcements","1.1"],["apps","notifications","2.0.0"],["apps","oauth2","1.0.5"],["apps","password_policy","1.2.2"],["apps","provisioning_api","1.2.0"],["apps","richdocuments","1.12.28"],["apps","serverinfo","1.2.0"],["apps","sharebymail","1.2.0"],["apps","spreed","2.0.1"],["apps","survey_client","1.0.0"],["apps","systemtags","1.2.0"],["apps","tasks","0.9.5"],["apps","theming","1.3.0"],["apps","twofactor_backupcodes","1.1.1"],["apps","updatenotification","1.2.0"],["apps","workflowengine","1.2.0"],["stats","num_files",25399],["stats","num_users",1],["stats","num_storages",2],["stats","num_storages_local",1],["stats","num_storages_home",1],["stats","num_storages_other",0],["stats","num_comments",0],["stats","num_comment_markers",0],["stats","num_systemtags",0],["stats","num_systemtags_mappings",0],["files_sharing","num_shares",0],["files_sharing","num_shares_user",0],["files_sharing","num_shares_groups",0],["files_sharing","num_shares_link",0],["files_sharing","num_shares_link_no_password",0],["files_sharing","num_fed_shares_sent",0],["files_sharing","num_fed_shares_received",0],["encryption","enabled","no"],["encryption","default_module","no"]]}",
"last_sent": "1495636580",
"types": ""
},
"systemtags": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": "logging"
},
"tasks": {
"enabled": "yes",
"installed_version": "0.9.5",
"types": ""
},
"theming": {
"enabled": "yes",
"installed_version": "1.3.0",
"types": "logging"
},
"twofactor_backupcodes": {
"enabled": "yes",
"installed_version": "1.1.1",
"types": ""
},
"updatenotification": {
"enabled": "yes",
"external": "2.0.3",
"installed_version": "1.2.0",
"richdocuments": "1.12.31",
"types": "",
"update_check_errors": "0"
},
"workflowengine": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": "filesystem"
}
}
}

Config report 
If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here. 
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

Are you using external storage, if yes which one: local

Are you using encryption: no

Are you using an external user-backend, if yes which one: none

Client configuration

Browser: Chrome and Firefox

Operating system: Ubuntu 16.04

Logs

Web server error log

Web server error log 
Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log 
Insert your Nextcloud log here

Browser log

Browser log 
Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...
@LukasReschke
Copy link
Member

Bug is caused by #5085 and #5137 should fix this :)

@Pammetje Pammetje mentioned this issue May 30, 2017
Closed
@nextcloud-bot nextcloud-bot mentioned this issue Sep 19, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LukasReschke @kevinkk525