Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Getting broken sites due to CSP #34

Open
MG2R opened this issue Oct 26, 2017 · 11 comments

Comments

Projects
None yet
6 participants
@MG2R
Copy link

commented Oct 26, 2017

I installed the Dimension theme featured on the Pico CMS website into apps/cms_pico/Pico/themes, I enabled the theme and set the demo website found in the Dimension github repository as my website content.

When going to the index at https://<mydomain>/index.php/apps/cms_pico/pico/<sitename>/index, the site is quite broken because it can't load jQuery. I can see the following message in the console.

Refused to load the script 'https://<mydomain>/apps/cms_pico/Pico/themes/dimension/assets/js/jquery.min.js' because it violates the following Content Security Policy directive: "script-src 'nonce-<big-ass string>' 'unsafe-eval'".

How should I go about fixing this?

@dewomser

This comment has been minimized.

Copy link

commented Nov 7, 2017

I use the Pico default theme. Javascript modernizr does not load. Despite a lot of Errors , Html and some css load. The menue, links and pathes are OK.
How should I go about fixing this?
+++
screenshot_20171107_101103

@Ludovicis

This comment has been minimized.

Copy link

commented Dec 13, 2017

same problem with travelify theme i can't use tinynav.min.js script and my navigation bar don't appear on mobile device.
Thanks for your help,

@Ludovicis

This comment has been minimized.

Copy link

commented Dec 14, 2017

I have find a solution with the help of xupefei from this issue: xupefei/Travelify#3 (comment)

you must follow this issue:
nextcloud/server#2791

I have change my apache configuration with this line:
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}$1 [R=301,L]
Header always set Strict-Transport-Security "max-age=15768000;includeSubdomains;preload"
Header always set Content-Security-Policy "default-src 'self';frame-ancestors 'self';style-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';img-src 'self' data:;font-src 'self' data:"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "sameorigin"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-XSS-Protection "1; mode=block"

#Options FollowSymLinks
#AllowOverride All
Header unset "X-Content-Type-Options"
Header unset "X-Frame-Options"
Header unset "X-XSS-Protection"
Header unset "Public-Key-Pins"
Header unset "Content-Security-Policy"
Header unset "Strict-Transport-Security"
Header unset "Referrer-Policy"

And after restart apache service no more csp error and js script work
You must also follow this "There should be a way to override the CSP policy given by NextCloud, but I am not sure. Let's see how they answer to #34.

The solution now is to put JavaScript codes inside index.twig, instead of having them separately. Write something like this before Line 95 of index.twig, and do this for each of three .js files:

<script> copy content of .js file here </script>

Note that the content of jquery-3.1.1.min.js should be before the other two.
This method will add about 90KB network traffic for each navigation, but still better than nothing."

@MG2R

This comment has been minimized.

Copy link
Author

commented Dec 14, 2017

I feel that this should be stuff done by the cms_pico module. Seems more like a hack than an actual solution.

@Ludovicis

This comment has been minimized.

Copy link

commented Dec 14, 2017

i think the same is a hack

@dewomser

This comment has been minimized.

Copy link

commented Dec 14, 2017

I see Problem in the http-header. Nextcloud does not allow to execute some css and js . It's the wrong way to allow this for nextcloud in an Apache-patch. Only cms_pico should be allowed. Shows http-header in the shell : curl -I your_pico_url

@dewomser

This comment has been minimized.

Copy link

commented Dec 15, 2017

Workaround:
I just added one line to apache - virtualhost - configuration.
Header unset "Content-Security-Policy"
And still get A+ ranking at https://scan.nextcloud.com/

@Ludovicis

This comment has been minimized.

Copy link

commented Dec 15, 2017

Me also with the apache config designated above A+

@poVoq

This comment has been minimized.

Copy link

commented Dec 21, 2017

Is there a way this could work on a shared host with only .htaccess modification?

@realitygaps

This comment has been minimized.

Copy link

commented Dec 21, 2017

@poVoq you should be able to use:
Header unset Content-Security-Policy
in .htaccess files also

@fbclol

This comment has been minimized.

Copy link

commented Jan 31, 2018

I have may be little solution !

put/edite file ./lib/Pico.php :

protected function getTwigVariables() {
               $twigVariables = parent::getTwigVariables();
               $twigVariables['theme_url'] = \OC_App::getAppWebPath(Application::APP_NAME) . '/Pico/themes/' . $this->getConfig('theme');
               $twigVariables['nonce']     = \OC::$server->getContentSecurityPolicyNonceManager()->getNonce(); 
               return $twigVariables;
       }

New row :
$twigVariables['nonce'] = \OC::$server->getContentSecurityPolicyNonceManager()->getNonce();

And edit file *.twig (Example) :

<script nonce="{{ nonce }}" src="{{ theme_url }}/js/masonry.pkgd.min.js"></script>

edite file ./appinfo/app.php (example) :
add row before require_once .....

if(class_exists('\\OCP\\AppFramework\\Http\\EmptyContentSecurityPolicy')) {
	$manager = \OC::$server->getContentSecurityPolicyManager();
	$policy = new \OCP\AppFramework\Http\EmptyContentSecurityPolicy();
	$policy->addAllowedStyleDomain('\'self\'');
    $policy->addAllowedStyleDomain('\'unsafe-inline\'');
    $policy->addAllowedStyleDomain('https://fonts.googleapis.com');
    $policy->addAllowedScriptDomain('\'self\'');
    $policy->addAllowedStyleDomain('https://fonts.googleapis.com');
    $policy->addAllowedScriptDomain('\'unsafe-inline\'');
    $policy->addAllowedScriptDomain('ajax.googleapis.com');
	$policy->addAllowedImageDomain('\'self\'');
	$policy->addAllowedImageDomain('data:');
	$policy->addAllowedImageDomain('blob:');
	$policy->addAllowedMediaDomain('\'self\'');
    $policy->addAllowedMediaDomain('blob:');
    $policy->addAllowedFontDomain('fonts.gstatic.com');
	$policy->addAllowedChildSrcDomain('\'self\'');
	$policy->addAllowedConnectDomain('\'self\'');
	$boshUrl = \OC::$server->getConfig()->getAppValue('cms_pico', 'boshUrl');
	if(preg_match('#^(https?:)?//([a-z0-9][a-z0-9\-.]*[a-z0-9](:[0-9]+)?)/#i', $boshUrl, $matches)) {
		$boshDomain = $matches[2];
		$policy->addAllowedConnectDomain($boshDomain);
	}
	$externalServices = \OC::$server->getConfig()->getAppValue('cms_pico', 'externalServices');
	$externalServices = explode("|", $externalServices);
	foreach($externalServices as $es) {
		$policy->addAllowedConnectDomain($es);
	}
	$manager->addDefaultPolicy($policy);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.