dicomviewer icon indicating copy to clipboard operation
dicomviewer copied to clipboard
verified publisher icon ayselafsar

Anonomously accessing a shared *.dcm file or complete dataset directory leads to error

Open optiprime opened this issue 9 months ago • 6 comments

To Reproduce

  1. Share the dataset directory for public access.
  2. Open the sharing URL in a private browser window.
  3. Open a *.dcm file.
  4. Notice the error: "Something went wrongfalse".
  5. Open debugging tools in browser. Notice the 401 error of the last respone with message "Current user is not logged in".

Expected behavior The App opens as known from logged-in access.

Client details:

  • OS: Windows 11
  • Browser: Firefox and Chrome

DICOM viewer app version: 2.3.1

Nextcloud version: 31.0.2

optiprime avatar Jun 29 '25 11:06 optiprime

I am facing the same error:

Client details:

  • OS: Windows 10/Kubuntu 25.04
  • Browser: Firefox/Chrome

DICOM viewer app version:

  • 2.3.1

Nextcloud version:

  • 31.0.7

v3DJG6GL avatar Jul 26 '25 12:07 v3DJG6GL

I am facing the same error:

Client details:

OS: Windows 11
Browser: Firefox/Chrome

DICOM viewer app version:

2.3.1

Nextcloud version:

31.0.7

ostaszewskik avatar Aug 13 '25 16:08 ostaszewskik

Still the same issue with Nextcloud v31.0.8

@ayselafsar could you look into this issue? That would be amazing :)

v3DJG6GL avatar Sep 12 '25 21:09 v3DJG6GL

The same here. Nextcloud v30.0.15

sleif avatar Sep 22 '25 10:09 sleif

I could be looking at the same error here (NC 32.0.0, dicomviewer 2.3.1, nginx 1.26.3 running on Debian 13.1 ('Stable/Trixie'), Firefox 146.0a1 on Debian 13.1). I get the Something went wrongfalse error...

Image

...upon which the console shows a CSP error:

[dicomjson:1:751](https://n.example.org/apps/dicomviewer/ncviewer/viewer/dicomjson?url=https://n.example.org/apps/dicomviewer/dicomjson?file=joesmith|166434351|1)

Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: “script-src http: * 'unsafe-eval' 'wasm-unsafe-eval'”. Consider using a hash ('sha256-U0P+oMucM1kpuOmS+mz8GekfzT6DywRSNPLdMiVn2SI=') or a nonce.

...followed by a 500 return:

GET | https://n.example.org/apps/dicomviewer/dicomjson?file=joesmith\|166434351\|1

HTTP/2 500 
server: nginx/1.26.3
date: Thu, 16 Oct 2025 22:29:15 GMT
content-type: text/html; charset=UTF-8
content-security-policy: default-src 'self'; script-src 'self' 'nonce-izq9b68vrapco9jw2qD4Y0xHdEpdOFE6rYYIasO1HgI='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
strict-transport-security: max-age=15768000; includeSubDomains; preload;
referrer-policy: no-referrer
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
x-robots-tag: noindex, nofollow
X-Firefox-Spdy: h2

I notice a discrepancy between the content-security-policy in the response and the one set in the dicomviewer codebase. The nginx config for this instance does not modify the CSP, Nextcloud itself (or one of the apps on this instance) most likely does.

Yetangitu avatar Oct 16 '25 22:10 Yetangitu

Isn't it a duplicate of : https://github.com/ayselafsar/dicomviewer/issues/108 ?

loxK avatar Oct 30 '25 04:10 loxK