New CSP issue?

[xenithorb]

Chromium browser console log:

ready.js?v=1.2.2.0072:28 /apps/files_reader/
epub.min.js?v=1.2.2.0072:8 Renderer is moving
EPUBJS.Book.gotoCfi @ epub.min.js?v=1.2.2.0072:8
(anonymous) @ reader.min.js?v=1.2.2.0072:1
trigger @ epub.min.js?v=1.2.2.0072:8
(anonymous) @ reader.min.js?v=1.2.2.0072:1
z @ epub.min.js?v=1.2.2.0072:8
A @ epub.min.js?v=1.2.2.0072:8
x @ epub.min.js?v=1.2.2.0072:8
pa @ epub.min.js?v=1.2.2.0072:8
characterData (async)
(anonymous) @ epub.min.js?v=1.2.2.0072:8
ja @ epub.min.js?v=1.2.2.0072:8
u @ epub.min.js?v=1.2.2.0072:8
r @ epub.min.js?v=1.2.2.0072:8
s @ epub.min.js?v=1.2.2.0072:8
(anonymous) @ epub.min.js?v=1.2.2.0072:8
j @ epub.min.js?v=1.2.2.0072:9
XMLHttpRequest.send (async)
EPUBJS.core.request @ epub.min.js?v=1.2.2.0072:9
EPUBJS.Unarchiver.open @ epub.min.js?v=1.2.2.0072:11
EPUBJS.Book.unarchive @ epub.min.js?v=1.2.2.0072:8
EPUBJS.Book.open @ epub.min.js?v=1.2.2.0072:8
EPUBJS.Book @ epub.min.js?v=1.2.2.0072:8
EPUBJS.Reader @ reader.min.js?v=1.2.2.0072:1
a.ePubReader @ reader.min.js?v=1.2.2.0072:1
renderEpub @ ready.js?v=1.2.2.0072:134
document.onreadystatechange @ ready.js?v=1.2.2.0072:94
epub.min.js?v=1.2.2.0072:10 Refused to set the document's base URI to 'https://domain.redacted.com/apps/files_reader/OEBPS/cover.html' because it violates the following Content Security Policy directive: "base-uri 'none'".

EPUBJS.Render.Iframe.load @ epub.min.js?v=1.2.2.0072:10
EPUBJS.Renderer.load @ epub.min.js?v=1.2.2.0072:10
(anonymous) @ epub.min.js?v=1.2.2.0072:10
z @ epub.min.js?v=1.2.2.0072:8
A @ epub.min.js?v=1.2.2.0072:8
x @ epub.min.js?v=1.2.2.0072:8
pa @ epub.min.js?v=1.2.2.0072:8
characterData (async)
(anonymous) @ epub.min.js?v=1.2.2.0072:8
ja @ epub.min.js?v=1.2.2.0072:8
u @ epub.min.js?v=1.2.2.0072:8
r @ epub.min.js?v=1.2.2.0072:8
s @ epub.min.js?v=1.2.2.0072:8
(anonymous) @ epub.min.js?v=1.2.2.0072:8
(anonymous) @ epub.min.js?v=1.2.2.0072:9
d @ epub.min.js?v=1.2.2.0072:9
n @ epub.min.js?v=1.2.2.0072:9
f @ epub.min.js?v=1.2.2.0072:9
(anonymous) @ epub.min.js?v=1.2.2.0072:9
setTimeout (async)
m @ epub.min.js?v=1.2.2.0072:9
z @ epub.min.js?v=1.2.2.0072:8
A @ epub.min.js?v=1.2.2.0072:8
(anonymous) @ epub.min.js?v=1.2.2.0072:8
pa @ epub.min.js?v=1.2.2.0072:8
characterData (async)
(anonymous) @ epub.min.js?v=1.2.2.0072:8
ja @ epub.min.js?v=1.2.2.0072:8
u @ epub.min.js?v=1.2.2.0072:8
r @ epub.min.js?v=1.2.2.0072:8
s @ epub.min.js?v=1.2.2.0072:8
(anonymous) @ epub.min.js?v=1.2.2.0072:8
j @ epub.min.js?v=1.2.2.0072:9
XMLHttpRequest.send (async)
EPUBJS.core.request @ epub.min.js?v=1.2.2.0072:9
EPUBJS.Unarchiver.open @ epub.min.js?v=1.2.2.0072:11
EPUBJS.Book.unarchive @ epub.min.js?v=1.2.2.0072:8
EPUBJS.Book.open @ epub.min.js?v=1.2.2.0072:8
EPUBJS.Book @ epub.min.js?v=1.2.2.0072:8
EPUBJS.Reader @ reader.min.js?v=1.2.2.0072:1
a.ePubReader @ reader.min.js?v=1.2.2.0072:1
renderEpub @ ready.js?v=1.2.2.0072:134
document.onreadystatechange @ ready.js?v=1.2.2.0072:94
epub.min.js?v=1.2.2.0072:10 Refused to set the document's base URI to 'https://domain.redacted.com/apps/files_reader/OEBPS/ch01.html' because it violates the following Content Security Policy directive: "base-uri 'none'".

EPUBJS.Render.Iframe.load @ epub.min.js?v=1.2.2.0072:10
EPUBJS.Renderer.load @ epub.min.js?v=1.2.2.0072:10
(anonymous) @ epub.min.js?v=1.2.2.0072:10
z @ epub.min.js?v=1.2.2.0072:8
A @ epub.min.js?v=1.2.2.0072:8
x @ epub.min.js?v=1.2.2.0072:8
pa @ epub.min.js?v=1.2.2.0072:8
characterData (async)
(anonymous) @ epub.min.js?v=1.2.2.0072:8
ja @ epub.min.js?v=1.2.2.0072:8
u @ epub.min.js?v=1.2.2.0072:8
r @ epub.min.js?v=1.2.2.0072:8
s @ epub.min.js?v=1.2.2.0072:8
(anonymous) @ epub.min.js?v=1.2.2.0072:8
(anonymous) @ epub.min.js?v=1.2.2.0072:9
d @ epub.min.js?v=1.2.2.0072:9
n @ epub.min.js?v=1.2.2.0072:9
f @ epub.min.js?v=1.2.2.0072:9
(anonymous) @ epub.min.js?v=1.2.2.0072:9
setTimeout (async)
m @ epub.min.js?v=1.2.2.0072:9
(anonymous) @ epub.min.js?v=1.2.2.0072:10
z @ epub.min.js?v=1.2.2.0072:8
A @ epub.min.js?v=1.2.2.0072:8
x @ epub.min.js?v=1.2.2.0072:8
pa @ epub.min.js?v=1.2.2.0072:8
characterData (async)
(anonymous) @ epub.min.js?v=1.2.2.0072:8
ja @ epub.min.js?v=1.2.2.0072:8
u @ epub.min.js?v=1.2.2.0072:8
r @ epub.min.js?v=1.2.2.0072:8
s @ epub.min.js?v=1.2.2.0072:8
(anonymous) @ epub.min.js?v=1.2.2.0072:8
iframe.onload @ epub.min.js?v=1.2.2.0072:10
domain.redacted.com/:1 Refused to load the font 'blob:https://domain.redacted.com/cdaee481-96dc-4d8c-a2b2-877247534b7e' because it violates the following Content Security Policy directive: "font-src 'self' data:".

domain.redacted.com/:1 

Returned CSP is as follows:

content-security-policy:default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-MDdkQ1FQL0ZaeEtFYjg3WC9zanZuRHFRN1E1Umd1MUE2NDhwTnorM1haWT06a09FUEdZV0dWSEd4TlpxYWhJV2o2US9KM3o4bTRJczRvdFVlVFh2a0V0ND0=' 'unsafe-eval';style-src 'self' blob: 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self' data:;frame-src 'self';child-src 'self'

Versions:

Nexcloud 13.0.0.14
PHP 7.1.13 (cli) (built: Jan  3 2018 11:00:58) ( NTS )
nginx version: nginx/1.13.8
files_reader 1.2.2

[xenithorb]

I initially thought I had #44 as the issue until I looked at the XHR requests and saw that they were getting 200's no problem. Still, the fonts don't seem to be rendering properly, and I can't seem to save the font size or color

AFAIK I'm not setting any content-security-policy headers in the NGINX config.

[Yetangitu]

There seem to be two things going on here, one being the EPUB renderer trying to set a base href, the other being a font failing to load from a blob: uri due to a missing font-src setting . I can do something about the font-related problem (by adding blob: to the CSP, it currently contains self and data) but not about the base-related "problem" (which probably does no harm other than specious log spam) as both NC and OC hard-code the base-uri to none.

If you want to fix the font problem yourself try this patch:

diff --git a/files_reader/lib/Controller/PageController.php b/files_reader/lib/Controller/PageController.php
index 3306292..8a500d1 100644
--- a/files_reader/lib/Controller/PageController.php
+++ b/files_reader/lib/Controller/PageController.php
@@ -115,6 +115,7 @@ class PageController extends Controller {
                $policy->addAllowedChildSrcDomain('\'self\'');
                $policy->addAllowedFontDomain('\'self\'');
                $policy->addAllowedFontDomain('data:');
+               $policy->addAllowedFontDomain('blob:');
                $policy->addAllowedImageDomain('blob:');

You can also wait for the next release which will include this change.

[xenithorb]

Alright that works to get rid of the blob error.

What I'm left with is still not being able to save the fontSize preference, here's the object it's sending:

{
    "name": "activeStyles",
    "scope": "epubreader",
    "lastModified": "1519504848116149",
    "id": 2,
    "value": {
        "fontSize": true,
        "nightMode": true
    },
    "fileId": "0"
}

As far as I can tell it's not sending the server any information about the 104% that I set?

Is this another bug?

[xenithorb]

A similar object (basically the same) is sent when trying to change one of the colors:

{
    "name": "activeStyles",
    "scope": "epubreader",
    "lastModified": "1519506517447194",
    "id": 2,
    "value": {
        "fontSize": true,
        "nightMode": true
    },
    "fileId": "0"
}

Which is also not being saved. Are font size and custom colors supposed to save? ... The fact that it emits this in the first place kind of indicates that it should.

[Yetangitu]

That is... a bug.

I just checked this and noticed some of the settings do not get registered. I'll look into this for the next release, one of these days.

[xenithorb]

Got you a new bug to work with. Thanks for addressing this one so quickly!

[Yetangitu]

Joy... just home from abroad and the fun starts... no rest for the wicked it seems.

[Yetangitu]

Fixed in the next release, see https://github.com/Yetangitu/owncloud-apps/issues/82#issuecomment-368262626

[Yetangitu]

Fixed in v.1.2.3