You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On commit e231abd, the default value for $strictDynamicAllowedOnScripts in lib/public/AppFramework/Http/ContentSecurityPolicy.php was set to "true".
Given the way in which the merge policies are done in lib/private/Security/CSP/ContentSecurityPolicyManager.php, you can never set the parameter to false:
// true wins over false
if ($value > $currentValue) {
$defaultPolicy->$setter($value);
}
So, the default "true" value always remains with no option to disable it if necessary.
Steps to reproduce
Create a simple custom CSP in a custom module:
namespace OCA\Sample;
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
class MyContentSecurityPolicy extends EmptyContentSecurityPolicy {
/** @var bool Whether strict-dynamic should be used on script-src-elem */
protected $strictDynamicAllowedOnScripts = false;
}
Create a Controller which returns a TemplateResponse:
public function index() {
$fpolicy = new FeaturePolicy();
$cspolicy = new MyContentSecurityPolicy();
$cspolicy->addAllowedScriptDomain("https://another-domain.com/");
$template = new TemplateResponse('sample', 'myView');
$template->setContentSecurityPolicy($cspolicy);
$template->setFeaturePolicy($fpolicy);
return $template;
}
Access to the index of the module, you will see the following error on the browser console:
Refused to load the script 'https://another-domain.com/myScript.js' because it violates the following Content Security Policy directive: "script-src-elem 'strict-dynamic'
Expected behavior
On changing the property, the explicit CSP should be over the default CSP. There are 2 options: the first one is to modify the merge method; the second one is to leave default options as false.
The option of modifying the merge method can have consequences that I'm not able to figure out currently. It would be useful if someone can point into the scenarios in which the mergePolicies method must be as it is.
The second option allows you to manage the CSP, but it can be a security risk in some scenarios.
Installation method
Community Web installer on a VPS or web space
Nextcloud Server version
28
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.1
Web server
Nginx
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Upgraded to a MAJOR version (ex. 22 to 23)
Are you using the Nextcloud Server Encryption module?
Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.
Results
=======
- core
- EXTRA_FILE
- .well-known/ai-plugin.json
Raw output
==========
Array
(
[core] => Array
(
[EXTRA_FILE] => Array
(
[.well-known/ai-plugin.json] => Array
(
[expected] =>
[current] => 828bd800d444b7aab125ec7b2453dd2c89ea2738928c52bb292daa68f60201234c1c5495884f8122633be98ed7bae324c02ad396cc2bd72772a5695f680839d1
)
)
)
)
Nextcloud Logs
No response
Additional info
No response
The text was updated successfully, but these errors were encountered:
This is a bug indeed which also breaks our plugin. It's a bit difficult to make that decision in the merge functionality. You're confronted with two values, and for some (e.g. inlineStyleAllowed) the truthy value makes the CSP less strict while for others (e.g. this one: strictDynamicAllowedOnScripts) it makes the CSP stricter. I would argue the merge function needs to respect the least strict CSP that was given.
One potential way of fixing would be to invert the behavior of the variables, so that truthy always means "less strict". In this case, I'd rename the variable to something like strictDynamicAllowedOnScripts to strictDynamicDisabledOnScripts which actually disables setting strict-dynamic on script-elem (by default, it would be added then). In the default CSP template you would then get:
The merge function could then stay the same. Still not ideal though, as it would still not allow a plugin to actually enforce strict-dynamic unless enabled in the default template. However, it makes the behavior a bit more in line with the behavior on different properties.
When a CSP rule has a strict default set by the framework (like strict-dynamic), the only meaningful modification would be to disable it. This may have a negative impact on site security, but apps will keep working.
On the other hand, allowing an app to enforce a strict rule when another app has already disabled it will break that app. This is also unnecessary because the strict rule is already in effect by default.
This means that a boolean parameter makes no sense if a strict default is provided, and that the only meaningful use for useStrictDynamicOnScripts(bool) currently does not work. Instead, there should be a disableStrictDynamicOnScripts() method that does not take any arguments and disables the rule once and for all. Apps that require a loosened CSP will keep working, and other apps don't have to care.
Other rules are affected as well, and it's not only on/off rules that cannot be overridden. useJsNonce(string | null) also has no effect.
Bug description
On commit e231abd, the default value for $strictDynamicAllowedOnScripts in lib/public/AppFramework/Http/ContentSecurityPolicy.php was set to "true".
Given the way in which the merge policies are done in lib/private/Security/CSP/ContentSecurityPolicyManager.php, you can never set the parameter to false:
So, the default "true" value always remains with no option to disable it if necessary.
Steps to reproduce
Expected behavior
On changing the property, the explicit CSP should be over the default CSP. There are 2 options: the first one is to modify the merge method; the second one is to leave default options as false.
The option of modifying the merge method can have consequences that I'm not able to figure out currently. It would be useful if someone can point into the scenarios in which the mergePolicies method must be as it is.
The second option allows you to manage the CSP, but it can be a security risk in some scenarios.
Installation method
Community Web installer on a VPS or web space
Nextcloud Server version
28
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.1
Web server
Nginx
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Upgraded to a MAJOR version (ex. 22 to 23)
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
Configuration report
List of activated Apps
Nextcloud Signing status
Nextcloud Logs
No response
Additional info
No response
The text was updated successfully, but these errors were encountered: