nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
27.31k stars 4.06k forks source link

Strict CSP doesn't work when rules are enforced by web server #14980

Open Dreamsorcerer opened 5 years ago

Dreamsorcerer commented 5 years ago

I was under the impression that Nextcloud was supporting strict CSPs now, but for Nextcloud (16.0.2) to run on my server, I still have to allow:

Without these options (the first 2 atleast), after logging in, the files app fails to load anything, and all the app icons in the header display loading icons, and fail to finish loading.

rullzer commented 5 years ago

'unsafe-inline' in script-src

What browser are you using. We can't use nonces for every browser yet as it will do :boom:

'unsafe-inline' in style-src

Yep we are working on this. But chaning it requires fixing things in a lot of places.

Dreamsorcerer commented 5 years ago

Ah, I did not see the nonce. So, I'm hardcoding the CSP rule in Nginx for added security, so it can't be overwritten by any PHP code. (I'm using Firefox in case that's still relevant).

Is it possible to pass the nonce through as a variable? I do this on my own website with this line in Nginx: fastcgi_param CSP_NONCE $nonce; It would just need to be able to read that server variable, or default to current behaviour if not present.

rullzer commented 5 years ago

Firefox should work yes. But Nextcloud expects to be able to set the CSP itself. For example this is needed when using talk.

Dreamsorcerer commented 5 years ago

For Talk, it seems to need 'unsafe-eval', plus microphone/camera in the feature policy. I can set this for that specific location, so that doesn't concern me too much. Ultimately, I can set the CSP for each app that needs more permissions, all within Nginx. Obviously, this is extra work for me, but it's still the way I'd like go to enforce those strict CSPs.

So, the only thing I need from Nextcloud, is the option to pass the nonce through as a server variable. This would allow me to configure the strict CSPs from the server, and tighten the security further.

skjnldsv commented 5 years ago

@Dreamsorcerer so is it working now? What is this ticket status? :)

ghost commented 5 years ago

This issue has been automatically marked as stale because it has not had recent activity and it seems to be missing some essential informations. It will be closed if no further activity occurs. Thank you for your contributions.

Dreamsorcerer commented 5 years ago

Just upgraded and tested out again. All 4 points in my original report are still required.

Unless someone has added an option to pass a nonce through to Nextcloud as I mentioned in my previous comments...

rullzer commented 5 years ago

If you have a PR to fix this (with tests etc) I'm fine with adding this. However keep in mind that a nonce should be a non deterministic one time value (I'm not sure apache and co support that).

But for now I do not see us adding this as it is not recommended to run Nextcloud like that.

Dreamsorcerer commented 5 years ago

OK, I've got that mostly working on a branch. But, there are still a bunch of errors because of places without a nonce. For example, I see style="display: none;" in 3 places on the files page. And errors from the JavaScript when trying to do things like: style.appendChild(document.createTextNode(css));

So, it's looking like there are still other issues stopping the use of a strict CSP.

Dreamsorcerer commented 5 years ago

OK, so my patch will resolve the first point ('unsafe-inline' in script-src). But, the other 3 points listed are still needed (and are in the CSP provided by Nextcloud when I disable the Nginx one).

dpertin commented 4 years ago

'unsafe-inline' in script-src

What browser are you using. We can't use nonces for every browser yet as it will do boom

'unsafe-inline' in style-src

Yep we are working on this. But chaning it requires fixing things in a lot of places.

Any update regarding the following point 'unsafe-inline' in style-src @rullzer? It seems to remain in my deployment (Nextcloud 18.0.3).

rullzer commented 4 years ago

We are slowly moving in that direction with move stuff moving to vue etc. But don't expect that to be there any time soon.

thstyl2000 commented 3 years ago

Sorry to bump, would be great to know if there is any progress. Thanks!

joshtrichards commented 1 week ago

Related: #1127