nextcloud
Content Security Policy issues
Describe the bug The current code (Nextcloud Hub 8 29.0.2) triggers CSP errors "EvalError: call to eval() blocked by CSP".
Each of those errors indicates that some JavaScript code was blocked, that means not processed.
I noticed those errors while I tried to find out why no images were shown for unsigned faces (https://[...]/apps/photos/faces/unassigned), but it looks like CSP errors are throwns on any page which is part of photos.
To Reproduce Steps to reproduce the behavior:
- Open https://[...]/apps/photos/ in recent Firefox
- Activate tools for web developers in Firefox
- Inspect console in tools for web developers
- See error
Expected behavior There should not be any CSP errors.
Desktop (please complete the following information):
- OS: macOS 14.5 (23F79)
- Browser Firefox 126.0
Browser log
EvalError: call to eval() blocked by CSP
o moz-extension://ed062d15-4363-4797-8a7e-d72941f610cd/build/detector.js:1
<anonym> moz-extension://ed062d15-4363-4797-8a7e-d72941f610cd/build/detector.js:1
<anonym> moz-extension://ed062d15-4363-4797-8a7e-d72941f610cd/build/detector.js:1
<anonym> moz-extension://ed062d15-4363-4797-8a7e-d72941f610cd/build/detector.js:1
inject resource://gre/modules/ExtensionContent.sys.mjs:573
InterpretGeneratorResume self-hosted:1412
AsyncFunctionNext self-hosted:799
The moz-extension://UUID suggests me this may be related to one of your active browser extensions.
Thanks! With all extensions disabled, I still get a warning:
Content-Security-Policy: Ignorieren von "blob:" innerhalb script-src-elem: 'strict-dynamic' angegeben
It looks like the Firefox add-on Vue.js devtools raises the error instead of the warning.
Even with all add-ons disabled, I still get (another) error for apps/faces/photos/unassigned (and no photo is shown):
TypeError: e is undefined
VueJS 22
fetchUnassignedFaces FetchFacesMixin.js:201
mounted UnassignedFaces.vue:187
VueJS 18
init vue-router.esm.js:3005
init vue-router.esm.js:3004
updateRoute vue-router.esm.js:2414
transitionTo vue-router.esm.js:2263
confirmTransition vue-router.esm.js:2402
r vue-router.esm.js:2084
r vue-router.esm.js:2091
Yt vue-router.esm.js:2095
confirmTransition vue-router.esm.js:2396
r vue-router.esm.js:2084
r vue-router.esm.js:2088
m vue-router.esm.js:2384
u vue-router.esm.js:2127
Ut vue-router.esm.js:2203
promise callback*Pt/</< vue-router.esm.js:2150
jt vue-router.esm.js:2171
jt vue-router.esm.js:2171
jt vue-router.esm.js:2170
Pt vue-router.esm.js:2106
m vue-router.esm.js:2362
r vue-router.esm.js:2087
I have similar problem with a nextcloud 29.0.14 using a docker full_apache and with traefik.
In the Photos app => Albums => parameters => choose a media folder I can't see the folders
I have this warning message
Content-Security-Policy : « blob: » ignoré à l’intérieur de script-src-elem : l’attribut « strict-dynamic » est spécifié
and Type error e is undefined
I have look for the security CSP rules, it seems OK. I don't understand what's going wrong.
my config
docker exec -u www-data -it container-nextcloud-1 php occ config:list system
{
"system": {
"default_language": "fr",
"default_locale": "fr_FR",
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"htaccess.RewriteBase": "\/",
"memcache.local": "\\OC\\Memcache\\APCu",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"openssl": {
"config": "\/etc\/ssl\/openssl.cnf"
},
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "pgsql",
"version": "29.0.14.1",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"maintenance": false,
"maintenance_window_start": 19,
"updater.release.channel": "stable",
"theme": "",
"loglevel": 0,
"enable_previews": true,
"enabledPreviewProviders": [
"OC\\Preview\\PNG",
"OC\\Preview\\JPEG",
"OC\\Preview\\GIF",
"OC\\Preview\\BMP",
"OC\\Preview\\XBitmap",
"OC\\Preview\\MarkDown",
"OC\\Preview\\MP3",
"OC\\Preview\\TXT",
"OC\\Preview\\Illustrator",
"OC\\Preview\\Movie",
"OC\\Preview\\MSOffice2003",
"OC\\Preview\\MSOffice2007",
"OC\\Preview\\MSOfficeDoc",
"OC\\Preview\\OpenDocument",
"OC\\Preview\\PDF",
"OC\\Preview\\Photoshop",
"OC\\Preview\\Postscript",
"OC\\Preview\\StarOffice",
"OC\\Preview\\SVG",
"OC\\Preview\\TIFF",
"OC\\Preview\\Font"
],
"data-fingerprint": "d6d7663133927be27fc300a0c4239366",
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"memcache.distributed": "\\OC\\Memcache\\Redis",
"filelocking.enabled": true,
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"password": "***REMOVED SENSITIVE VALUE***",
"port": 6379
"overwriteprotocol": "https",
"overwrite.cli.url": "https:\/\/nmcd-nxc-pp.numc.eu",
"trusted_domains": [
"***REMOVED SENSITIVE VALUE***",
"nextcloud"
],
"mail_smtpmode": "smtp",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_sendmailmode": "smtp",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "1025",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": false,
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"share_folder": "\/_Partages_re\u00e7us_des_autres_utilisateurs\/",
"skeletondirectory": "data\/__Dossier-generique_des_nouveaux_utilisateurs",
"memories.exiftool": "\/var\/www\/html\/custom_apps\/memories\/bin-ext\/exiftool-amd64-glibc",
"memories.vod.path": "\/var\/www\/html\/custom_apps\/memories\/bin-ext\/go-vod-amd64",
"memories.vod.ffmpeg": "\/usr\/bin\/ffmpeg",
"memories.vod.ffprobe": "\/usr\/bin\/ffprobe",
"memories.db.triggers.fcu": true,
"mail_smtpsecure": ""
}
}
