New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Content Security - Scripts #18

Closed
pavanagrawal123 opened this Issue Jan 23, 2017 · 12 comments

Comments

Projects
None yet
8 participants
@pavanagrawal123

pavanagrawal123 commented Jan 23, 2017

Hi,

I just installed this app into my Yunohost, however on launching the software it's not working because of the content security on the JS scripts. Is this going to be fixed on future releases or do i need to make a configuration change?

@juliencognito

This comment has been minimized.

Show comment
Hide comment
@juliencognito

juliencognito Feb 3, 2017

Hello
Same problem on my side; with firefox or chromium. The console view of the firefox's development tools tells me about 'unsafe-eval'.
The files are not displayed until I voluntarily click on 'files'; As long as I am connected, the problem is resolved.
As for the Ynh_Panel, it never appears.

I encounter this problem with NextCloud, not with other applications & not on https://demo.nextcloud.com

Thanks for attention,

Julien

Edit:

juliencognito commented Feb 3, 2017

Hello
Same problem on my side; with firefox or chromium. The console view of the firefox's development tools tells me about 'unsafe-eval'.
The files are not displayed until I voluntarily click on 'files'; As long as I am connected, the problem is resolved.
As for the Ynh_Panel, it never appears.

I encounter this problem with NextCloud, not with other applications & not on https://demo.nextcloud.com

Thanks for attention,

Julien

Edit:

@Shnoulle

This comment has been minimized.

Show comment
Hide comment
@Shnoulle

Shnoulle Feb 9, 2017

Same issue : Content Security Policy on 1st load, reload : all;files are loaded.

My nextcloud are on a subdirectory of my ynh login page.

Shnoulle commented Feb 9, 2017

Same issue : Content Security Policy on 1st load, reload : all;files are loaded.

My nextcloud are on a subdirectory of my ynh login page.

@jellium

This comment has been minimized.

Show comment
Hide comment
@jellium

jellium Feb 15, 2017

I encounter the same issue.
Below the first of the many errors reported by the browser debug tools:

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'nonce-S0VxMFBpTEFvcCt4OUIvbXNRMFk0ZWRjUW1zMm9Fa1NJMjRpamhKeVFNOD06UkhMTlVGU3h4TmJWbzJxbDVENTVsNjlwYlQ1NjhSaGdSd3BOK1haRUthRT0=' 'unsafe-eval'”).

which points to the following line in the source:

<script nonce="NHNnSzJkYzltV0I3VHpqWldGd00rMHczbkV5MVRSQmVlZjMrMW43RUdkMD06MTc0K2phTm43d3NNWkZhRGQyMGpqQ1pScWlqOUpVWWFRSWpLbmhXSWE2Zz0=" type="text/javascript">

After refreshing the page once, the problem does not occur and line 55 becomes:

<script nonce="SUdmWW9iWi9YTlc1U29reVJqMTlXcDZIb3FFRldqTUVzbmJYM1JiS2J5Zz06VEYraHo4QU9PcHpkSGZ4eEV3NGNMTmF5amZSSkMySjIxaEs0cW5MOEJrWT0=" type="text/javascript">

This behavior is also encountered in the "private browsing" mode of Firefox as well.

jellium commented Feb 15, 2017

I encounter the same issue.
Below the first of the many errors reported by the browser debug tools:

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'nonce-S0VxMFBpTEFvcCt4OUIvbXNRMFk0ZWRjUW1zMm9Fa1NJMjRpamhKeVFNOD06UkhMTlVGU3h4TmJWbzJxbDVENTVsNjlwYlQ1NjhSaGdSd3BOK1haRUthRT0=' 'unsafe-eval'”).

which points to the following line in the source:

<script nonce="NHNnSzJkYzltV0I3VHpqWldGd00rMHczbkV5MVRSQmVlZjMrMW43RUdkMD06MTc0K2phTm43d3NNWkZhRGQyMGpqQ1pScWlqOUpVWWFRSWpLbmhXSWE2Zz0=" type="text/javascript">

After refreshing the page once, the problem does not occur and line 55 becomes:

<script nonce="SUdmWW9iWi9YTlc1U29reVJqMTlXcDZIb3FFRldqTUVzbmJYM1JiS2J5Zz06VEYraHo4QU9PcHpkSGZ4eEV3NGNMTmF5amZSSkMySjIxaEs0cW5MOEJrWT0=" type="text/javascript">

This behavior is also encountered in the "private browsing" mode of Firefox as well.

@Shnoulle

This comment has been minimized.

Show comment
Hide comment
@Shnoulle

Shnoulle Feb 15, 2017

Tracking done error source (for my error : reload load the scripts)

capture du 2017-02-15 10-55-40

Shnoulle commented Feb 15, 2017

Tracking done error source (for my error : reload load the scripts)

capture du 2017-02-15 10-55-40

@solarus0

This comment has been minimized.

Show comment
Hide comment
@solarus0

solarus0 Feb 16, 2017

Same problem for me, on the first load, I have many CSP errors.
After a refresh, everything works but I still have this warning

22:20:21,034 Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à https://mail.ultrawaves.fr/ynhpanel.js (« script-src 'nonce-cStYQ3BWWWZFOS9kK2pvTFh4L0RTOUdVNFlaUWpNWG44QXdlTzRjczByOD06eDRhbTVCQk9aTHEva1YxbkUxaWtlcFNqbytJa3dyYUR0R3RvYWQ4ZnAvTT0=' 'unsafe-eval' »). 1 (source inconnue)

I think that the resource containing the CS Policy is loaded in the wrong order.
Plus, the policy should include the Yunohost panel (ynhpanel.js).

solarus0 commented Feb 16, 2017

Same problem for me, on the first load, I have many CSP errors.
After a refresh, everything works but I still have this warning

22:20:21,034 Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à https://mail.ultrawaves.fr/ynhpanel.js (« script-src 'nonce-cStYQ3BWWWZFOS9kK2pvTFh4L0RTOUdVNFlaUWpNWG44QXdlTzRjczByOD06eDRhbTVCQk9aTHEva1YxbkUxaWtlcFNqbytJa3dyYUR0R3RvYWQ4ZnAvTT0=' 'unsafe-eval' »). 1 (source inconnue)

I think that the resource containing the CS Policy is loaded in the wrong order.
Plus, the policy should include the Yunohost panel (ynhpanel.js).

@solarus0

This comment has been minimized.

Show comment
Hide comment
@solarus0

solarus0 Feb 21, 2017

Here is an extract from the Firefox' debugger on the first load.
csp error nextcloud ynh

Maybe it's needed to allow unsafe-eval earlier in your CSP policy.

solarus0 commented Feb 21, 2017

Here is an extract from the Firefox' debugger on the first load.
csp error nextcloud ynh

Maybe it's needed to allow unsafe-eval earlier in your CSP policy.

@JimboJoe

This comment has been minimized.

Show comment
Hide comment
@JimboJoe

JimboJoe Mar 13, 2017

Contributor

Can you guys try to apply this PR and see if it changes Nextcloud behavior?
You only need to swap 2 lines in /etc/nginx/conf.d/<yourdomain>.d/nextcloud.conf and reload the configuration with systemctl reload nginx.

Contributor

JimboJoe commented Mar 13, 2017

Can you guys try to apply this PR and see if it changes Nextcloud behavior?
You only need to swap 2 lines in /etc/nginx/conf.d/<yourdomain>.d/nextcloud.conf and reload the configuration with systemctl reload nginx.

@jellium

This comment has been minimized.

Show comment
Hide comment
@jellium

jellium Mar 13, 2017

Hi @JimboJoe I just implemented your changes but this did not solve the issue for me (after reloading/restarting nginx, and removing browser downloaded data).

jellium commented Mar 13, 2017

Hi @JimboJoe I just implemented your changes but this did not solve the issue for me (after reloading/restarting nginx, and removing browser downloaded data).

@Bugsbane

This comment has been minimized.

Show comment
Hide comment
@Bugsbane

Bugsbane Mar 13, 2017

I'm still getting:

Refused to load the script 'https://MYDOMAIN.com/ynhpanel.js' because it violates the following Content Security Policy directive: "script-src 'nonce-UUY3YnN5RFFuazMxMnFLYzc5U1JSNGxpWU1SaXNLTDlLN0tUQzRuMkdaST06RmcrajBscm8rUjI2NHV2YjNPelRMZjAxRnFNRHg0bktic1A5TXVLRWJ1ST0=' 'unsafe-eval'".

...after applying the update to the Nginx .conf file for Nextcloud and restarting Nginx.

Bugsbane commented Mar 13, 2017

I'm still getting:

Refused to load the script 'https://MYDOMAIN.com/ynhpanel.js' because it violates the following Content Security Policy directive: "script-src 'nonce-UUY3YnN5RFFuazMxMnFLYzc5U1JSNGxpWU1SaXNLTDlLN0tUQzRuMkdaST06RmcrajBscm8rUjI2NHV2YjNPelRMZjAxRnFNRHg0bktic1A5TXVLRWJ1ST0=' 'unsafe-eval'".

...after applying the update to the Nginx .conf file for Nextcloud and restarting Nginx.

@JimboJoe

This comment has been minimized.

Show comment
Hide comment
@JimboJoe

JimboJoe Mar 13, 2017

Contributor

Thanks for your tests!
I understand that the YNH tile still doesn't appear, but do you still have to refresh the page at login?

Contributor

JimboJoe commented Mar 13, 2017

Thanks for your tests!
I understand that the YNH tile still doesn't appear, but do you still have to refresh the page at login?

@Shnoulle

This comment has been minimized.

Show comment
Hide comment
@Shnoulle

Shnoulle Mar 13, 2017

Seems working but ......

yunohost / login / nextcloud : have error (maybe issue with browser cache)

yunohots / login / nextcloud : js load , but it take ....... 500ms for each js file ...

capture du 2017-03-13 12-13-44

Aftre : not reload it again.*

But i think i prefer to access to white page, click on logo : it take really less times ;)

Shnoulle commented Mar 13, 2017

Seems working but ......

yunohost / login / nextcloud : have error (maybe issue with browser cache)

yunohots / login / nextcloud : js load , but it take ....... 500ms for each js file ...

capture du 2017-03-13 12-13-44

Aftre : not reload it again.*

But i think i prefer to access to white page, click on logo : it take really less times ;)

@pavanagrawal123

This comment has been minimized.

Show comment
Hide comment
@pavanagrawal123

pavanagrawal123 Mar 16, 2017

@JimboJoe
I applied the patch and restarted the Nginx. It doesn't seem to work. I still have to refresh the WebUI once to get all the JS to load.

pavanagrawal123 commented Mar 16, 2017

@JimboJoe
I applied the patch and restarted the Nginx. It doesn't seem to work. I still have to refresh the WebUI once to get all the JS to load.

ianbogda added a commit to ianbogda/nextcloud_ynh that referenced this issue Apr 1, 2017

review fix YunoHost-Apps#26 and YunoHost-Apps#18
Hye @JimboJoe,
after more investigations, rules from nextCloud and tests :)
L23```more_set_headers Content-Security-Policy "default-src  data:;";```
is enough due to **/ynhpanel.css** where yunohost image tile and fonts
are **data:base64**.

There is no SP leaks in this case.

I'll send rectification in this way.

Rafi594 added a commit that referenced this issue Sep 2, 2017

Merge pull request #52 from YunoHost-Apps/fix_csp-nonce_ynh-fonts
Disable  CSPv3 nonces and allow YunoHost fonts data (fixes #26 missing YunoHost tile and #18 blank page)

@Rafi594 Rafi594 closed this Sep 2, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment