Open Sprinterfreak opened 1 year ago
It looks like the richdocuments app adds the collabora server to the csp header.
@juliushaertl @nickvergessen What do you think? Send every domain through idsn_to_ascii in buildPolicy or let the apps richdocuments (collabora, etc.) and talk (stun, turn, signaling) escape it?
@Sprinterfreak You can patch the richdocuments app like below to make it work. Don't forget to change into the richdocuments directory before applying the patch.
Index: lib/Listener/CSPListener.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/lib/Listener/CSPListener.php b/lib/Listener/CSPListener.php
--- a/lib/Listener/CSPListener.php (revision 1b609dac1bf216c4913188ab3861f37fabb49147)
+++ b/lib/Listener/CSPListener.php (date 1690223340061)
@@ -66,6 +66,7 @@
);
$urls = array_filter($urls);
+ $urls = array_map(fn($url) => idn_to_ascii($url), $urls);
$policy = new EmptyContentSecurityPolicy();
$policy->addAllowedFrameDomain("'self'");
@kesselb You are a legend! :) This patch resolves the issue for me!
I think it would be nice to have the server handle this. Let me reopen the issue as no patch was merged yet.
Still affects richdocuments 8.1.1
Still affects richdocuments 8.2.3 on Server 27.1.4 although the CSPListener.php has been dropped which also invalidates the fix above
⚠️ This issue respects the following points: ⚠️
Bug description
After upgrading 26 to 27.0.1, Nextcloud sets unpunicoded unicode domain in CSP header.
This prevents browsers from loading all assets.
Example CSP header generated by nextcloud
Affected Routes:
/apps/files
/apps/photos
/apps/contacts
/apps/calendar /apps/phonetrack /settings
Not affected routes:
/remote.php
/ocs
/js
/apps/keeweb
Steps to reproduce
Expected behavior
If the instance has a unicode domain, the fqdn must be punicoded in the Content-Security-Policy header.
Installation method
Community VM appliance
Nextcloud Server version
27
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Nginx
Database engine version
PostgreSQL
Is this bug present after an update or on a fresh install?
Upgraded to a MAJOR version (ex. 22 to 23)
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
Configuration report
List of activated Apps
Nextcloud Signing status
Nextcloud Logs
Additional info
No response