Open Schmuuu opened 5 years ago
J0WI
commented
5 years ago child-src > script-src > default-src)They are trivial to implement.
form-action will be more challenging.
rullzer
commented
5 years ago frame-src > child-src > default-srcSo adding the fault self is not needed here. If you want to support self you need to update the CSP.
frame-ancestors would make sense to set. I'll look into that.
Same with form-action it is just a directive. By default setting it to self would be a good hardening.
rullzer
commented
5 years ago For form-action I need to read up a bit on https://github.com/w3c/webappsec-csp/issues/8 as Firefox and Chrome do not seem to agree.
MorrisJobke
commented
5 years ago Some were done in #13420
MorrisJobke
commented
5 years ago @rullzer 16 or 17?
rullzer
commented
5 years ago Move the rest to 17. I want to spend time adding more security headers there
StCyr
commented
5 years ago Is it because of frame-ancestors implementation that I get a message about X-Frame-Options not beeing set to SAMEORIGIN in settings/admin/overview?
I can see Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive. messages in my browser console when using nextcloud as a regular user
Using NC16.
szaimen
commented
3 years ago Is this Issue still valid in NC21.0.2? If not, please close this issue. Thanks! :)
ghost
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.
ghost
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.
ghost
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.
mschoettle
commented
5 months ago On NC 28 the Mozilla Observatory reports an A+ (this is using the Docker image and the nginx example config: https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf).
The security overview however reports issues with the .well-known URLs. However, looking at the browser console it stems from the Content-Security-Policy:
Content-Security-Policy: The page’s settings blocked the loading of a resource at http://URL/index.php/.well-known/webfinger (“connect-src”). overview Content-Security-Policy: The page’s settings blocked the loading of a resource at http://URL/index.php/.well-known/nodeinfo (“connect-src”). overview Content-Security-Policy: The page’s settings blocked the loading of a resource at http://URL/remote.php/dav/ (“connect-src”). 2 overview
Although upon closer look it might just be because it tried http instead of https. The connect-src 'self' should cover this use case already.
J0WI
commented
5 months ago looks more like your host is not detected correctly
mschoettle
commented
5 months ago Sorry, I removed the actual host but the <URL> placeholder did not get rendered I realized that the problem is due to nginx being behind a reverse proxy (traefik) itself so needed to update the nginx config to explicitly add https://$host to the redirect rules.
When scanning my NC server with: https://observatory.mozilla.org
I notice that a few (many?) CSPs are not set at all, although they can be found in the source code. I noticed this phenomenon in NC14 already but thought, due to the planned rework of CSP with NC15, this might get "corrected" in this latest release. After a fresh upgrade to NC15 the above-mentioned site still reports some policies missing.
The output is:
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-ZS [...] D0=';style-src 'self' 'unsafe-inline' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self' ;media-src 'self' blob:;child-src 'self';
The policies missing, although mentioned in the PHP file
nextcloud/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php:What could be added by this opportunity is:
I ran some tests by manipulating the PHP file
nextcloud/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.phpand added "else" blocks to all the missing policies, like in this example ("if" block is standard, "else" was added by me):
Due to this change, the site reports:
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';form-action 'self';script-src 'nonce-ZS-[...]-D0=';style-src 'self' 'unsafe-inline' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self' ;media-src 'self' blob:; frame-src 'self' https://office.mydomain.tld https://www.draw.io; child-src 'self'; frame-ancestors 'self';worker-src 'self'
I know it's a dirty hack right now, but I don't understand the code enough to correctly fix that. However, it works that way. I ran all NC14.0.x release with this or similar changes in that file without any issues or limitations.
Steps to reproduce
Expected behaviour
All the policies appear in that CSP response
Actual behaviour
These policies are missing completely, so the CSP is not as strict as probably intended.
Server configuration
Operating system: ArchLinux 4.14.87-1-lts
Web server: nginx 1.14.2
Database: 10.1.37-MariaDB
PHP version: 7.2.13
Nextcloud version: NC 15.0.0.10
Updated from an older Nextcloud/ownCloud or fresh install: Updated via web updater from NC14.0.4
Where did you install Nextcloud from: NC internal web updater
Signing status:
Signing status
``` No errors have been found. ```List of activated apps:
App list
``` Enabled: - accessibility: 1.1.0 - activity: 2.8.2 - admin_audit: 1.5.0 - announcementcenter: 3.4.0 - apporder: 0.6.0 - audioplayer: 2.4.1 - bookmarks: 0.14.3 - bruteforcesettings: 1.2.0 - calendar: 1.6.4 - cloud_federation_api: 0.1.0 - comments: 1.5.0 - contacts: 2.1.8 - dav: 1.8.0 - deck: 0.5.1 - dropit: 0.1.3 - event_update_notification: 0.3.1 - external: 3.2.0 - federatedfilesharing: 1.5.0 - federation: 1.5.0 - files: 1.10.0 - files_accesscontrol: 1.5.0 - files_automatedtagging: 1.5.0 - files_downloadactivity: 1.4.0 - files_external: 1.6.0 - files_markdown: 2.0.5 - files_pdfviewer: 1.4.0 - files_retention: 1.4.0 - files_sharing: 1.7.0 - files_texteditor: 2.7.0 - files_trashbin: 1.5.0 - files_versions: 1.8.0 - files_videoplayer: 1.4.0 - firstrunwizard: 2.4.0 - gallery: 18.2.0 - logreader: 2.0.0 - lookup_server_connector: 1.3.0 - mail: 0.11.0 - metadata: 0.8.0 - nextcloud_announcements: 1.4.0 - notes: 2.5.1 - notifications: 2.3.0 - oauth2: 1.3.0 - ojsxc: 3.4.3 - onlyoffice: 2.1.2 - password_policy: 1.5.0 - previewgenerator: 2.0.0 - provisioning_api: 1.5.0 - quota_warning: 1.4.0 - ransomware_protection: 1.3.0 - serverinfo: 1.5.0 - sharebymail: 1.5.0 - sharerenamer: 2.3.0 - spreed: 4.99.0 - support: 1.0.0 - systemtags: 1.5.0 - tasks: 0.9.8 - telephoneprovider: 1.0.2 - theming: 1.6.0 - twofactor_backupcodes: 1.4.1 - twofactor_totp: 2.1.0 - updatenotification: 1.5.0 - workflowengine: 1.5.0 Disabled: - camerarawpreviews - checksum - circles - cms_pico - dashboard - dicomviewer - drawio - encryption - files_mindmap - files_reader - files_rightclick - issuetemplate - polls - ransomware_detection - socialsharing_email - survey_client - user_external - user_ldap - user_usage_report ```Nextcloud configuration:
Config report
``` { "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "cloud.mydomain.tld", "192.168.1.100", "localhost" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "version": "15.0.0.10", "logtimezone": "Europe\/Berlin", "appstore.experimental.enabled": true, "appstoreenabled": true, "appstoreurl": "https:\/\/api.nextcloud.com\/v1", "appcodechecker": true, "apps_paths": [ { "path": "\/var\/www\/nextcloud\/apps", "url": "\/apps", "writable": true } ], "mail_smtpmode": "smtp", "mail_smtpauth": 1, "mail_smtpport": "587", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpauthtype": "LOGIN", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpsecure": "tls", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "preview_libreoffice_path": "\/usr\/bin\/libreoffice", "enabledPreviewProviders": [ "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\BMP", "OC\\Preview\\XBitmap", "OC\\Preview\\MP3", "OC\\Preview\\TXT", "OC\\Preview\\MarkDown", "OC\\Preview\\TIFF", "OCA\\CameraRawPreviews\\RawPreview", "OCA\\CameraRawPreviews\\IndesignPreview", "OC\\Preview\\Movie", "OC\\Preview\\Photoshop" ], "filelocking.enabled": true, "memcache.local": "\\OC\\Memcache\\APCu", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 0, "timeout": 0, "password": "***REMOVED SENSITIVE VALUE***" }, "maintenance": false, "updater.server.url": "https:\/\/updates.nextcloud.com\/updater_server\/", "updater.release.channel": "stable", "loglevel": 2, "theme": "", "installed": true, "overwrite.cli.url": "https:\/\/cloud.mydomain.tld", "defaultapp": "apporder", "updater.secret": "***REMOVED SENSITIVE VALUE***" } } ```Are you using external storage, if yes which one: in OS mounted smb share via CIFS as additional external drive. All user data are on internal storage, however.
Are you using encryption: no
Are you using an external user-backend, if yes which one: no
Logs
Not applicable as the server runs perfectly fine. There are no error messages that might be related.