Open Dreamsorcerer opened 5 years ago
'unsafe-inline' in script-src
What browser are you using. We can't use nonces for every browser yet as it will do :boom:
'unsafe-inline' in style-src
Yep we are working on this. But chaning it requires fixing things in a lot of places.
Ah, I did not see the nonce. So, I'm hardcoding the CSP rule in Nginx for added security, so it can't be overwritten by any PHP code. (I'm using Firefox in case that's still relevant).
Is it possible to pass the nonce through as a variable? I do this on my own website with this line in Nginx:
fastcgi_param CSP_NONCE $nonce;
It would just need to be able to read that server variable, or default to current behaviour if not present.
Firefox should work yes. But Nextcloud expects to be able to set the CSP itself. For example this is needed when using talk.
For Talk, it seems to need 'unsafe-eval', plus microphone/camera in the feature policy. I can set this for that specific location, so that doesn't concern me too much. Ultimately, I can set the CSP for each app that needs more permissions, all within Nginx. Obviously, this is extra work for me, but it's still the way I'd like go to enforce those strict CSPs.
So, the only thing I need from Nextcloud, is the option to pass the nonce through as a server variable. This would allow me to configure the strict CSPs from the server, and tighten the security further.
@Dreamsorcerer so is it working now? What is this ticket status? :)
This issue has been automatically marked as stale because it has not had recent activity and it seems to be missing some essential informations. It will be closed if no further activity occurs. Thank you for your contributions.
Just upgraded and tested out again. All 4 points in my original report are still required.
Unless someone has added an option to pass a nonce through to Nextcloud as I mentioned in my previous comments...
If you have a PR to fix this (with tests etc) I'm fine with adding this. However keep in mind that a nonce should be a non deterministic one time value (I'm not sure apache and co support that).
But for now I do not see us adding this as it is not recommended to run Nextcloud like that.
OK, I've got that mostly working on a branch. But, there are still a bunch of errors because of places without a nonce. For example, I see style="display: none;" in 3 places on the files page. And errors from the JavaScript when trying to do things like: style.appendChild(document.createTextNode(css));
So, it's looking like there are still other issues stopping the use of a strict CSP.
OK, so my patch will resolve the first point ('unsafe-inline' in script-src). But, the other 3 points listed are still needed (and are in the CSP provided by Nextcloud when I disable the Nginx one).
'unsafe-inline' in script-src
What browser are you using. We can't use nonces for every browser yet as it will do boom
'unsafe-inline' in style-src
Yep we are working on this. But chaning it requires fixing things in a lot of places.
Any update regarding the following point 'unsafe-inline' in style-src
@rullzer?
It seems to remain in my deployment (Nextcloud 18.0.3).
We are slowly moving in that direction with move stuff moving to vue etc. But don't expect that to be there any time soon.
Sorry to bump, would be great to know if there is any progress. Thanks!
Related: #1127
I was under the impression that Nextcloud was supporting strict CSPs now, but for Nextcloud (16.0.2) to run on my server, I still have to allow:
'unsafe-inline' in script-src(PR #16380)Without these options (the first 2 atleast), after logging in, the files app fails to load anything, and all the app icons in the header display loading icons, and fail to finish loading.