search

Yetangitu / owncloud-apps

Applications for Nextcloud and Owncloud personal cloud server
GNU Affero General Public License v3.0
86 stars 41 forks source link

Content Security policy prevents external JS loading #25

Closed voyageur closed 7 years ago

voyageur commented 7 years ago

I switched my personal instance to nextcloud some time ago, and updated to the recently released 11.0 version.

I wanted to install the files_reader application again, but apparently recent nextcloud versions (not tested with 10.0) have a stricter content security policy, that forbids loading of the other JS files used by the extension. Here is the chrome error console output:

site.com/:1 Refused to load the script 'https://site.com/nextcloud/apps/files_reader/js/lib/typedarray.min.js' because it violates the following Content Security Policy directive: "script-src 'nonce-someID' 'unsafe-eval'".
site.com/:1 Refused to load the script 'https://site.com/nextcloud/apps/files_reader/js/lib/Blob.js' because it violates the following Content Security Policy directive: "script-src 'nonce-someID' 'unsafe-eval'".
site.com/:1 Refused to load the script 'https://site.com/nextcloud/apps/files_reader/js/lib/wgxpath.install.js' because it violates the following Content Security Policy directive: "script-src 'nonce-someID' 'unsafe-eval'".
site.com/:1 Refused to load the script 'https://site.com/nextcloud/apps/files_reader/vendor/epubjs/libs/jquery.min.js' because it violates the following Content Security Policy directive: "script-src 'nonce-someID' 'unsafe-eval'".
site.com/:1 Refused to load the script 'https://site.com/nextcloud/apps/files_reader/vendor/epubjs/libs/screenfull.min.js' because it violates the following Content Security Policy directive: "script-src 'nonce-someID' 'unsafe-eval'".
site.com/:1 Refused to load the script 'https://site.com/nextcloud/apps/files_reader/vendor/epubjs/libs/zip.min.js' because it violates the following Content Security Policy directive: "script-src 'nonce-someID' 'unsafe-eval'".
site.com/:1 Refused to load the script 'https://site.com/nextcloud/apps/files_reader/vendor/epubjs/epub.min.js' because it violates the following Content Security Policy directive: "script-src 'nonce-someID' 'unsafe-eval'".
site.com/:1 Refused to load the script 'https://site.com/nextcloud/apps/files_reader/vendor/epubjs/hooks.min.js' because it violates the following Content Security Policy directive: "script-src 'nonce-someID' 'unsafe-eval'".
site.com/:1 Refused to load the script 'https://site.com/nextcloud/apps/files_reader/vendor/epubjs/hooks/extensions/highlight.js' because it violates the following Content Security Policy directive: "script-src 'nonce-someID' 'unsafe-eval'".
site.com/:1 Refused to load the script 'https://site.com/nextcloud/apps/files_reader/vendor/epubjs/reader.min.js' because it violates the following Content Security Policy directive: "script-src 'nonce-someID' 'unsafe-eval'".
site.com/:1 Refused to load the script 'https://site.com/nextcloud/apps/files_reader/js/ready.js' because it violates the following Content Security Policy directive: "script-src 'nonce-someID' 'unsafe-eval'".

Apparently the policy can be fixed in appinfo (but JS is not my favourite language): https://help.nextcloud.com/t/content-security-policy-in-nextcloud/5288/4

I do not have an owncloud instance anymore, so not sure if this is compatible (or even required by recent owncloud)

Note: appinfo/info.xml also now requires its own nextcloud entry in dependencies to allow activation

Yetangitu commented 7 years ago

I'll look into this soon, first have to update my instance of NC which has lagged due to lack of time...

Yetangitu commented 7 years ago

Fixed in v0.8.0 and later

voyageur commented 7 years ago

Looking good here with v0.8.1 :) thanks!