Open Schmuuu opened 5 years ago
child-src
> script-src
> default-src
)They are trivial to implement.
form-action
will be more challenging.
frame-src
> child-src
> default-src
So adding the fault self is not needed here. If you want to support self you need to update the CSP.
frame-ancestors
would make sense to set. I'll look into that.
Same with form-action
it is just a directive. By default setting it to self would be a good hardening.
For form-action
I need to read up a bit on https://github.com/w3c/webappsec-csp/issues/8 as Firefox and Chrome do not seem to agree.
Some were done in #13420
@rullzer 16 or 17?
Move the rest to 17. I want to spend time adding more security headers there
Is it because of frame-ancestors
implementation that I get a message about X-Frame-Options
not beeing set to SAMEORIGIN
in settings/admin/overview
?
I can see Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.
messages in my browser console when using nextcloud as a regular user
Using NC16.
Is this Issue still valid in NC21.0.2? If not, please close this issue. Thanks! :)
This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.
On NC 28 the Mozilla Observatory reports an A+ (this is using the Docker image and the nginx example config: https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf).
The security overview however reports issues with the .well-known
URLs. However, looking at the browser console it stems from the Content-Security-Policy:
Content-Security-Policy: The page’s settings blocked the loading of a resource at http://URL/index.php/.well-known/webfinger (“connect-src”). overview Content-Security-Policy: The page’s settings blocked the loading of a resource at http://URL/index.php/.well-known/nodeinfo (“connect-src”). overview Content-Security-Policy: The page’s settings blocked the loading of a resource at http://URL/remote.php/dav/ (“connect-src”). 2 overview
Although upon closer look it might just be because it tried http instead of https. The connect-src 'self'
should cover this use case already.
looks more like your host is not detected correctly
Sorry, I removed the actual host but the <URL>
placeholder did not get rendered I realized that the problem is due to nginx being behind a reverse proxy (traefik) itself so needed to update the nginx config to explicitly add https://$host
to the redirect rules.
When scanning my NC server with: https://observatory.mozilla.org
I notice that a few (many?) CSPs are not set at all, although they can be found in the source code. I noticed this phenomenon in NC14 already but thought, due to the planned rework of CSP with NC15, this might get "corrected" in this latest release. After a fresh upgrade to NC15 the above-mentioned site still reports some policies missing.
The output is:
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-ZS [...] D0=';style-src 'self' 'unsafe-inline' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self' ;media-src 'self' blob:;child-src 'self';
The policies missing, although mentioned in the PHP file
nextcloud/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
:What could be added by this opportunity is:
I ran some tests by manipulating the PHP file
nextcloud/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
and added "else" blocks to all the missing policies, like in this example ("if" block is standard, "else" was added by me):
Due to this change, the site reports:
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';form-action 'self';script-src 'nonce-ZS-[...]-D0=';style-src 'self' 'unsafe-inline' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self' ;media-src 'self' blob:; frame-src 'self' https://office.mydomain.tld https://www.draw.io; child-src 'self'; frame-ancestors 'self';worker-src 'self'
I know it's a dirty hack right now, but I don't understand the code enough to correctly fix that. However, it works that way. I ran all NC14.0.x release with this or similar changes in that file without any issues or limitations.
Steps to reproduce
Expected behaviour
All the policies appear in that CSP response
Actual behaviour
These policies are missing completely, so the CSP is not as strict as probably intended.
Server configuration
Operating system: ArchLinux 4.14.87-1-lts
Web server: nginx 1.14.2
Database: 10.1.37-MariaDB
PHP version: 7.2.13
Nextcloud version: NC 15.0.0.10
Updated from an older Nextcloud/ownCloud or fresh install: Updated via web updater from NC14.0.4
Where did you install Nextcloud from: NC internal web updater
Signing status:
Signing status
``` No errors have been found. ```List of activated apps:
App list
``` Enabled: - accessibility: 1.1.0 - activity: 2.8.2 - admin_audit: 1.5.0 - announcementcenter: 3.4.0 - apporder: 0.6.0 - audioplayer: 2.4.1 - bookmarks: 0.14.3 - bruteforcesettings: 1.2.0 - calendar: 1.6.4 - cloud_federation_api: 0.1.0 - comments: 1.5.0 - contacts: 2.1.8 - dav: 1.8.0 - deck: 0.5.1 - dropit: 0.1.3 - event_update_notification: 0.3.1 - external: 3.2.0 - federatedfilesharing: 1.5.0 - federation: 1.5.0 - files: 1.10.0 - files_accesscontrol: 1.5.0 - files_automatedtagging: 1.5.0 - files_downloadactivity: 1.4.0 - files_external: 1.6.0 - files_markdown: 2.0.5 - files_pdfviewer: 1.4.0 - files_retention: 1.4.0 - files_sharing: 1.7.0 - files_texteditor: 2.7.0 - files_trashbin: 1.5.0 - files_versions: 1.8.0 - files_videoplayer: 1.4.0 - firstrunwizard: 2.4.0 - gallery: 18.2.0 - logreader: 2.0.0 - lookup_server_connector: 1.3.0 - mail: 0.11.0 - metadata: 0.8.0 - nextcloud_announcements: 1.4.0 - notes: 2.5.1 - notifications: 2.3.0 - oauth2: 1.3.0 - ojsxc: 3.4.3 - onlyoffice: 2.1.2 - password_policy: 1.5.0 - previewgenerator: 2.0.0 - provisioning_api: 1.5.0 - quota_warning: 1.4.0 - ransomware_protection: 1.3.0 - serverinfo: 1.5.0 - sharebymail: 1.5.0 - sharerenamer: 2.3.0 - spreed: 4.99.0 - support: 1.0.0 - systemtags: 1.5.0 - tasks: 0.9.8 - telephoneprovider: 1.0.2 - theming: 1.6.0 - twofactor_backupcodes: 1.4.1 - twofactor_totp: 2.1.0 - updatenotification: 1.5.0 - workflowengine: 1.5.0 Disabled: - camerarawpreviews - checksum - circles - cms_pico - dashboard - dicomviewer - drawio - encryption - files_mindmap - files_reader - files_rightclick - issuetemplate - polls - ransomware_detection - socialsharing_email - survey_client - user_external - user_ldap - user_usage_report ```Nextcloud configuration:
Config report
``` { "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "cloud.mydomain.tld", "192.168.1.100", "localhost" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "version": "15.0.0.10", "logtimezone": "Europe\/Berlin", "appstore.experimental.enabled": true, "appstoreenabled": true, "appstoreurl": "https:\/\/api.nextcloud.com\/v1", "appcodechecker": true, "apps_paths": [ { "path": "\/var\/www\/nextcloud\/apps", "url": "\/apps", "writable": true } ], "mail_smtpmode": "smtp", "mail_smtpauth": 1, "mail_smtpport": "587", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpauthtype": "LOGIN", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpsecure": "tls", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "preview_libreoffice_path": "\/usr\/bin\/libreoffice", "enabledPreviewProviders": [ "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\BMP", "OC\\Preview\\XBitmap", "OC\\Preview\\MP3", "OC\\Preview\\TXT", "OC\\Preview\\MarkDown", "OC\\Preview\\TIFF", "OCA\\CameraRawPreviews\\RawPreview", "OCA\\CameraRawPreviews\\IndesignPreview", "OC\\Preview\\Movie", "OC\\Preview\\Photoshop" ], "filelocking.enabled": true, "memcache.local": "\\OC\\Memcache\\APCu", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 0, "timeout": 0, "password": "***REMOVED SENSITIVE VALUE***" }, "maintenance": false, "updater.server.url": "https:\/\/updates.nextcloud.com\/updater_server\/", "updater.release.channel": "stable", "loglevel": 2, "theme": "", "installed": true, "overwrite.cli.url": "https:\/\/cloud.mydomain.tld", "defaultapp": "apporder", "updater.secret": "***REMOVED SENSITIVE VALUE***" } } ```Are you using external storage, if yes which one: in OS mounted smb share via CIFS as additional external drive. All user data are on internal storage, however.
Are you using encryption: no
Are you using an external user-backend, if yes which one: no
Logs
Not applicable as the server runs perfectly fine. There are no error messages that might be related.