nextcloud-keeweb icon indicating copy to clipboard operation
nextcloud-keeweb copied to clipboard

Published 20 hours ago verified publisher icon jhass

Ensure correct way to obtain the webdav base host is used

Open vxq9e7bx opened this issue 8 years ago • 7 comments

Click on *.kdbx-file opens the app and prompts for password. after input, nothing happens, except for cursor being changed to Ø

edit: some info: debian jessie, nginx, browser is win7/chrome using the windows app works fine (connected to same file with webdav function)

vxq9e7bx avatar Aug 23 '16 15:08 vxq9e7bx

Could you check for any errors in your browser's error console?

jhass avatar Aug 23 '16 16:08 jhass

keeweb?config=config?file=/Documents/file.kdbx:19 Refused to connect to 'https://domain.tld/remote.php/webdav/Documents/file.kdbx?requesttoken=(...)' because it violates the following Content Security Policy directive: "connect-src 'self'". _request @ keeweb?config=config?file=/Documents/file.kdbx:19 keeweb?config=config?file=/Documents/file.kdbx:19 Uncaught SecurityError: Failed to execute 'open' on 'XMLHttpRequest': Refused to connect to 'https://domain.tld/remote.php/webdav/Documents/file.kdbx?requesttoken=(...) because it violates the document's Content Security Policy.

vxq9e7bx avatar Aug 23 '16 21:08 vxq9e7bx

because it violates the document's Content Security Policy.

Do you have the proper CORS headers for nginx?

agentdr8 avatar Aug 23 '16 21:08 agentdr8

no, I didn't... although it's not 'cross origin' if I want to access files on the very same machine!?

tried to include the nginx snippet from https://github.com/keeweb/keeweb/wiki/WebDAV-Config into my config, but apparently that does not work for other reasons (nginx: [emerg] "add_header" directive is not allowed here in /etc/nginx/snippets/cors.conf:8)

edit: apparently www and non-www hosts do make a difference!

vxq9e7bx avatar Aug 23 '16 22:08 vxq9e7bx

the problem is with 'overwritehost': I have a return 301 of non-www to www, but found that when i overwrite the host with non-www, the Federated Cloud ID seems nicer. nextcloud webdav gives the non-www host, while calendar and contacts return the www (when clicking the tiny wheel, to get the url for whatever).

vxq9e7bx avatar Aug 23 '16 23:08 vxq9e7bx

So Files and Keeweb both use the PHP function \OCP\Util::linkToRemote('webdav') to get the link, while Calendar and Contacts both use the JS function OC.linkToRemote('dav'). That they return inconsistent results I would consider an upstream issue.

jhass avatar Nov 24 '16 19:11 jhass

I use owncloud under nginx; and for me the best and secure way (to not have the owncloud cors policy warnigs) to enable cors only for your keeweb subdomain (eg: "keeweb.mydomain.com") is to add this in your owncloud nginx config, under the php section :

 location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {

    #CORS enabled for php WebDav in order to permit access from JavaScript in keeweb at keeweb.mydomain.com
     if ($request_method = 'OPTIONS') {
#      limit_except OPTIONS {
       add_header 'Access-Control-Allow-Origin' 'https://keeweb.mydomain.com';
       add_header 'Access-Control-Allow-Credentials' 'true';
       add_header 'Access-Control-Allow-Methods' 'GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK';
       add_header 'Access-Control-Allow-Headers' 'Authorization,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,X-Accept-Charset,X-Accept,origin,accept,if-match,destination, overwrite';
       add_header 'Access-Control-Expose-Headers' 'ETag';
       add_header 'Access-Control-Max-Age' 1728000;
       add_header 'Content-Type' 'text/plain charset=UTF-8';
       add_header 'Content-Length' 0;
       return 204;
     }
     if ($http_referer ~* keeweb.mydomain.com) {
#     if ($request_method ~ ^(HEAD|PUT|GET|MOVE)$ ) {
       add_header 'Access-Control-Allow-Origin' 'https://keeweb.mydomain.com';
       add_header 'Access-Control-Allow-Credentials' 'true';
       add_header 'Access-Control-Allow-Methods' 'GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK';
       add_header 'Access-Control-Allow-Headers' 'Authorization,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,X-Accept-Charset,X-Accept,origin,accept,if-match,destination, overwrite';
       add_header 'Access-Control-Expose-Headers' 'ETag';
       add_header 'Access-Control-Max-Age' 1728000;
     }


    #PHP config & PASS to PHP Backend (Defined at php-handler)
     fastcgi_split_path_info ^(.+\.php)(/.*)$;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_param PATH_INFO $fastcgi_path_info;
     fastcgi_param HTTPS on;
     fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
     fastcgi_param front_controller_active true;
     fastcgi_pass php-handler;
     fastcgi_intercept_errors on;
     fastcgi_request_buffering off;
  }

Hope this can help...

f-vt avatar Dec 05 '16 21:12 f-vt