Content Security Policy block

[FahrJo]

I get those two errors in my browser log when I select an app in the left menu and the main view stays empty:

Refused to load https://my-domain.cloud/apps/ocs_api_viewer/js/stoplight-elements.js because it does not appear in the script-src directive of the Content Security Policy.
Refused to load https://my-domain.cloud/apps/ocs_api_viewer/js/ocs_api_viewer-iframe-theme.js because it does not appear in the script-src directive of the Content Security Policy.

I don't have that issue with any other app.

Content-Security-Policy:

Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-OExFUW1td3RCdkJRK3luaGFkMmY1aXNRVGxJSlBGeGNNazBjNzlyZExJbz06dHZWQ3lGa1phSmNuZ1dpTkRxakduMTFVSVJWZENHd3dWaDFhM1kzcGRycz0=' blob: 'unsafe-eval' 'unsafe-inline' ;script-src-elem 'strict-dynamic' 'nonce-OExFUW1td3RCdkJRK3luaGFkMmY1aXNRVGxJSlBGeGNNazBjNzlyZExJbz06dHZWQ3lGa1phSmNuZ1dpTkRxakduMTFVSVJWZENHd3dWaDFhM1kzcGRycz0=' blob: 'unsafe-eval' 'unsafe-inline' ;style-src 'self' 'unsafe-inline';img-src 'self' data: blob: https://*.tile.openstreetmap.org;font-src 'self' data:;connect-src 'self' blob: stun.nextcloud.com:443 phoenixtheater-rastatt.cloud:3478;media-src 'self' blob:;frame-src 'self';child-src blob: 'self';frame-ancestors 'self';worker-src blob: 'self';form-action 'self'

Can this be a bug from the app, or do I have to overwrite my CSP settings?

Server Nextcloud: 28.0.0 OCS API Viewer: 1.0.4 OS: Ubuntu 18.04.6 LTS Web server: Apache 2.4 Database: Mariadb PHP: 8.2

Client Browser: Safari 17.2 and Firefox 120.0.1 OS: MacOs

[provokateurin]

Yeah this got broken with 28 :/ cc @nickvergessen @susnux

[susnux]

You need to add the nonce to you scripts if they import other scripts.

So in your entry point (I guess main.js):

import { getRequestToken } from '@nextcloud/auth'

// eslint-disable-next-line camelcase
__webpack_nonce__ = btoa(getRequestToken())