Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keeweb leading to blank page #214

Open
Alexander-Matte opened this issue Dec 9, 2022 · 9 comments
Open

Keeweb leading to blank page #214

Alexander-Matte opened this issue Dec 9, 2022 · 9 comments

Comments

@Alexander-Matte
Copy link

Hello, currently having an issue with accessing my .kdbx Database on my self hosted Nextcloud server. The server is currently running PHP 7.4 with Ubuntu 20.04LTS and Nginx. I have downloaded the app and can see it on my server. When I click on my database withing nextcloud, Its leading me to a blank page(Just my background color). I have checked through my Console and Networks tab and have found the error 403 Forbidden. The file is then Keeweb?config=config. Is there something I have to change so that the Keeweb app is accessible from Nextcloud? Thanks
@jhass
Copy link
Owner

jhass commented Dec 9, 2022

Is every request via HTTPS?

@Alexander-Matte
Copy link
Author

Yes, That was one of the first things I checked

@jhass
Copy link
Owner

jhass commented Dec 9, 2022

Is your Nginx setting or filtering any headers, such as CSP?

@Alexander-Matte
Copy link
Author

Could these be the cause to the problem?

add-header X-XSS-Protection "1";
mode="block";
add_header Strict-Transport-Security "max-age=15552000" always;

@jhass
Copy link
Owner

jhass commented Dec 9, 2022

STS headers I can't imagine, I have no clue what X-XSS-Protection does, should be easy enough to disable and see?

@arnowelzel
Copy link
Collaborator

arnowelzel commented Dec 10, 2022
edited
Loading

Please remove X-XSS-Protection. This is a non standard header and not needed anyway since Nextcloud and Keeweb already set appropriate CSP headers to mitigate XSS.

Also see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

In addition: think about upgrading to PHP 8.1 if possible. PHP 7.4 is officially "end of life" and Nextcloud will soon handle PHP 7.4 as deprecated and likely require PHP 8.1 in the future.

Also see: https://www.php.net/supported-versions.php

@solracsf
Copy link

If that header is removed, Nextcloud will issue a Warning.

xss

@arnowelzel
Copy link
Collaborator

If that header is removed, Nextcloud will issue a Warning.

xss

I stand corrected - in fact Nextcloud includes an .htaccess file which always sets that header for Apache (if the required module in Apache is enabled). Maybe it helps to check that file what other options are used for Apache - these headers are not the only thing.

@psit-kr
Copy link

psit-kr commented Mar 21, 2023

Hi,

we had the same issue.

We resolved it at the firewall appliance level.
Our firewall had static URL hardening enabled and the form disappears / blank page.
After we disabled the static URL hardening firewall rule for the Nextcloud website, it works again as excepted.

Maybe this will someone help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jhass @arnowelzel @solracsf @Alexander-Matte @psit-kr