opencloud icon indicating copy to clipboard operation
opencloud copied to clipboard
Published 3 weeks ago verified publisher icon opencloud-eu

Make default csp rules respect the OC_OIDC_ISSUER env var?

Open butonic opened this issue 2 months ago • 0 comments

the built in default CSP rules currently are hardcodet to:

directives:
  child-src:
    - '''self'''
  connect-src:
    - '''self'''
    - 'blob:'
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
  default-src:
    - '''none'''
  font-src:
    - '''self'''
  frame-ancestors:
    - '''self'''
  frame-src:
    - '''self'''
    - 'blob:'
    - 'https://embed.diagrams.net/'
  img-src:
    - '''self'''
    - 'data:'
    - 'blob:'
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
  manifest-src:
    - '''self'''
  media-src:
    - '''self'''
  object-src:
    - '''self'''
    - 'blob:'
  script-src:
    - '''self'''
    - '''unsafe-inline'''
  style-src:
    - '''self'''
    - '''unsafe-inline'''

whle the one in the compuse file uses env vars:

directives:
  child-src:
    - '''self'''
  connect-src:
    - '''self'''
    - 'blob:'
    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
  default-src:
    - '''none'''
  font-src:
    - '''self'''
  frame-ancestors:
    - '''self'''
  frame-src:
    - '''self'''
    - 'blob:'
    - 'https://embed.diagrams.net/'
    # In contrary to bash and docker the default is given after the | character
    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
    # This is needed for the external-sites web extension when embedding sites
    - 'https://docs.opencloud.eu'
  img-src:
    - '''self'''
    - 'data:'
    - 'blob:'
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
    # In contrary to bash and docker the default is given after the | character
    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
  manifest-src:
    - '''self'''
  media-src:
    - '''self'''
  object-src:
    - '''self'''
    - 'blob:'
  script-src:
    - '''self'''
    - '''unsafe-inline'''
  style-src:
    - '''self'''
    - '''unsafe-inline'''

We should be able to use the OC_OIDC_ISSUER env var in the default csp. maybe even others like for collabora if we can find a good default.

butonic avatar Oct 10 '25 08:10 butonic