Open Ramblurr opened 3 years ago
I am facing the same issue when using webview for authorization I get the same error just marginally different URL ending at grant
instead of flow
.
I have Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self' sis.redsys.es; frame-ancestors 'self'"
set in apache2 config
and http-response set-header Content-Security-Policy: "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self';"
in haproxy .
restarted apache2 and haproxy server … still cannot go beyond Grant page.
I was having the same issue so ended up patching the file after each deployment with a sed replace
CSP_DOMAIN=subdomain.example.com
sed -i '/protected \$allowedFormActionDomains = \[/a '\'''$CSP_DOMAIN''\'',' \
lib/public/AppFramework/Http/ContentSecurityPolicy.php
Would be great of course if this could be added as a configurable option
Hi, please update to 24.0.9 or better 25.0.3 and report back if it fixes the issue. Thank you!
My goal is to add a label like e.g. 25-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!
If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+
Hi, I have just updated to 25.0.3
and the issue still persists.
Thanks for the explanation. Now I at least know how to work around the issue until it gets resolved.
I was having the same issue so ended up patching the file after each deployment with a sed replace
CSP_DOMAIN=subdomain.example.com sed -i '/protected \$allowedFormActionDomains = \[/a '\'''$CSP_DOMAIN''\'',' \ lib/public/AppFramework/Http/ContentSecurityPolicy.php
Would be great of course if this could be added as a configurable option
Where do you add that patch?
Unfortunately still an issue on version 30.0.0. Causes issues with collabora over HTTPs reverse proxy
How to use GitHub
Explanation
This issue is related to https://github.com/nextcloud/server/pull/16711 from @rullzer
Background: You will remember (:roll_eyes: ) that Chrome and Firefox apply the
form-action
CSP differently when the response to a form request is a redirect. This is currently undefined behavior and the W3C has not yet decided what to do about it. Firefox does not apply the form-action CSP, but Chrome does.The above merged PR from @rullzer fixes the case where Nextcloud responds to the
POST /login/flow
request with a303
redirect to the OIDC callback url. This is working fine.However... what happens when the service being redirected to itself issues a redirect to a different origin (that wasn't in the original allowed
form-action
source list?Well for Firefox this works just fine as it doesn't keep the
form-action
CSP around.On Chrome/Edge, the "Grant Access" button just spins for a long time and if you open the console you see:
Refused to send form data to 'ORIGINAL <NC>/login/flow' because it violates the following Content Security Policy directive: "form-action 'self' https://oidc-callback-url".
The solution is to ensure that the domain for the 2nd redirect is included in the original form-action CSP.
I was able to manually add this by editing
lib/public/AppFramework/Http/ContentSecurityPolicy.php
and appending my extra domain to the$allowedFormActionDomains
array.I'm not sure what the proper solution is here. As a nextcloud administrator I need to have some way to allow certain domains in the
form-action
policy. But the workaround in the previous paragraph is NOT a good solution as it applies to every form in the application, whereas it is only required for thePOST /login/flow
during the oauth/oidc workflow.Maybe the "OAuth 2.0 clients" feature should allow additional URIs?
Steps to reproduce
This is rather cumbersome to reproduce as you will need a third-party software authenticating to nextclouds oidc provider.
Expected behaviour
The oauth login flow should complete without error
Actual behaviour
Firefox : Everything works fine
Chrome/Edge: The login flow fails after pressing the "Grant Access" button in nextcloud.
Given:
Then the
POST https://nextcloud.example.com/login/flow
returns303
redirect withLocation: https://matrix.example.com/_synapse/client/oidc/callback
, and this also returns a302
redirect tohttps://chat.example.com/something/something
So from Chrome's point of view all three domains must exist in the
form-action
CSP, but only the first two are included.Server configuration
Operating system: linux
Web server: apache
Database: postgres
PHP version: 21.0.5
Nextcloud version: 21.0.5
Updated from an older Nextcloud/ownCloud or fresh install: no
Where did you install Nextcloud from: official docker image
21-apache
tagSigning status:
Signing status
``` No errors have been found. ```List of activated apps:
App list
``` Enabled: - accessibility: 1.7.0 - activity: 2.14.3 - audioplayer: 3.2.2 - cloud_federation_api: 1.4.0 - comments: 1.11.0 - contactsinteraction: 1.2.0 - dav: 1.17.1 - discoursesso: 1.22.0 - external: 3.8.2 - federatedfilesharing: 1.11.0 - federation: 1.11.0 - files: 1.16.0 - files_external: 1.12.0 - files_pdfviewer: 2.1.0 - files_rightclick: 1.0.0 - files_sharing: 1.13.1 - files_texteditor: 2.14.0 - files_trashbin: 1.11.0 - files_versions: 1.14.0 - files_videoplayer: 1.10.0 - firstrunwizard: 2.10.0 - logreader: 2.6.0 - lookup_server_connector: 1.9.0 - mail: 1.10.5 - nextcloud_announcements: 1.10.0 - notifications: 2.9.0 - oauth2: 1.9.0 - password_policy: 1.11.0 - privacy: 1.5.0 - provisioning_api: 1.11.0 - recommendations: 1.0.0 - serverinfo: 1.11.0 - settings: 1.3.0 - sharebymail: 1.11.0 - spreed: 11.3.2 - support: 1.4.0 - survey_client: 1.9.0 - systemtags: 1.11.0 - text: 3.2.0 - theming: 1.12.0 - twofactor_backupcodes: 1.10.0 - updatenotification: 1.11.0 - user_status: 1.1.1 - viewer: 1.5.0 - weather_status: 1.1.0 - workflowengine: 2.3.1 Disabled: - admin_audit - dashboard - encryption - photos - user_ldap ```Nextcloud configuration:
Config report
``` { "system": { "htaccess.RewriteBase": "\/", "memcache.local": "\\OC\\Memcache\\APCu", "apps_paths": [ { "path": "\/var\/www\/html\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/www\/html\/custom_apps", "url": "\/custom_apps", "writable": true } ], "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "***REMOVED SENSITIVE VALUE***" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "pgsql", "version": "21.0.5.1", "overwrite.cli.url": "REMOVED SENSITIVE VALUE", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "auth.bruteforce.protection.enabled": false, "overwriteprotocol": "https", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "587", "mail_smtpsecure": "tls", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "skeletondirectory": "", "mail_smtpmode": "smtp", "mail_smtpauthtype": "LOGIN", "mail_sendmailmode": "smtp", "mail_smtpauth": 1, "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "default_language": "de", "default_locale": "de_AT", "theme": "", "loglevel": 0, "maintenance": false, "default_phone_region": "AT" } } ```Are you using external storage, if yes which one: local + sftp
Are you using encryption: no
Are you using an external user-backend, if yes which one: no
Client configuration
Browser: Chrome + Firefox
Operating system: Windows + Linux + Mac
Logs
Refused to send form data to 'ORIGINAL <NC>/login/flow' because it violates the following Content Security Policy directive: "form-action 'self' https://oidc-callback-url".