CSP blocked loading resource at inline script-src error in Firefox.

[artfulrobot]

Steps to reproduce

Load the main nextcloud page. (i.e. All Files)

Expected behaviour

Page to load without errors in console.

Actual behaviour

Get this error in Firefox's web console: (Firefox 64 https://whatismybrowser.com/w/DSQGWHK)

Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src").

Nb. this does not happen in Chromium.

Server configuration detail

Operating system: Linux 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64

Webserver: Apache/2.4.25 (Debian) (apache2handler)

Database: mysql 10.1.26

PHP version:

7.0.30-0+deb9u1
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, mysqlnd, PDO, xml, bz2, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, json, exif, mcrypt, mysqli, pdo_mysql, Phar, posix, readline, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache, xdebug

Nextcloud version: 14.0.4 - 14.0.4.2

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status

Array
(
)

List of activated apps

Enabled:
 - accessibility: 1.0.1
 - activity: 2.7.0
 - bookmarks: 0.14.2
 - bookmarks_fulltextsearch: 1.0.0
 - bruteforcesettings: 1.2.0
 - cloud_federation_api: 0.0.1
 - comments: 1.4.0
 - contacts: 2.1.7
 - dav: 1.6.0
 - deck: 0.5.0
 - federatedfilesharing: 1.4.0
 - federation: 1.4.0
 - files: 1.9.0
 - files_external: 1.5.0
 - files_linkeditor: 1.0.7
 - files_markdown: 2.0.5
 - files_mindmap: 0.0.10
 - files_pdfviewer: 1.3.2
 - files_rightclick: 0.8.4
 - files_sharing: 1.6.2
 - files_texteditor: 2.6.0
 - files_trashbin: 1.4.1
 - files_versions: 1.7.1
 - files_videoplayer: 1.3.0
 - firstrunwizard: 2.3.0
 - fulltextsearch: 1.1.0
 - gallery: 18.1.0
 - issuetemplate: 0.4.0
 - logreader: 2.0.0
 - lookup_server_connector: 1.2.0
 - mail: 0.11.0
 - news: 13.0.3
 - nextcloud_announcements: 1.3.0
 - notes: 2.5.0
 - notifications: 2.2.1
 - oauth2: 1.2.1
 - ownpad: 0.6.8
 - password_policy: 1.4.0
 - polls: 0.8.3
 - provisioning_api: 1.4.0
 - serverinfo: 1.4.0
 - sharebymail: 1.4.0
 - spreed: 4.0.1
 - support: 1.0.0
 - survey_client: 1.2.0
 - systemtags: 1.4.0
 - tasks: 0.9.8
 - twofactor_backupcodes: 1.3.1
 - updatenotification: 1.4.1
 - workflowengine: 1.4.0
Disabled:
 - admin_audit
 - encryption
 - theming
 - user_external
 - user_ldap

Configuration (config/config.php)

{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "**removed**"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "overwrite.cli.url": "https:\/\/**removed**\/nextcloud",
    "dbtype": "mysql",
    "version": "14.0.4.2",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "htaccess.RewriteBase": "\/nextcloud",
    "overwritewebroot": "\/nextcloud",
    "theme": "",
    "loglevel": 2,
    "maintenance": false,
    "updater.release.channel": "stable",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpmode": "smtp",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "updater.secret": "***REMOVED SENSITIVE VALUE***"
}

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption:

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

Client configuration

Browser: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0

Operating system: Ubuntu 18.04

Logs

Browser log

Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.
Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src").
files:1:1
JQMIGRATE: Migrate is installed, version 1.4.0 core.js:7:542
window.controllers/Controllers is deprecated. Do not use it for UA detection. merged.js:2176 

Nextcloud log

N/A?

Browser log

Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.
Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src").
files:1:1
JQMIGRATE: Migrate is installed, version 1.4.0 core.js:7:542
window.controllers/Controllers is deprecated. Do not use it for UA detection. merged.js:2176

[nextcloud-bot]

GitMate.io thinks possibly related issues are #8358 (CSP is blocking font in data:), #2791 (CSP blocks path from server?), #11035 (CSP child-src is deprecated), #10489 (Warnings and errors in Firefox console), and #10254 (File Download CSP Error).

[artfulrobot]

Dear bot, this does look like the first of the 2 errors shown in #10489 but that bug was closed off for an earlier version. I'm seeing the error in latest stable 14.0.4. I'm running nextcloud in a directory https://example.com/nextcloud/ (if that makes a difference).

I'm not concerned about the warnings, but the error suggests, well, an error!

[ChristophWurst]

What specific resource was blocked? Is it possible this is one of your extensions that tries to inject a script? I'm pretty sure this is the case because I see that too occasionally (e.g. with the Vue dev tools).

[artfulrobot]

@ChristophWurst Hmmm, I don't know, I posted all the info there was from the console log.

I have been through my apps, disabling them one by one and reloading the main page after disabling to check for the error. The error persisted throughout. Here's the full list of apps I disabled:

• notes
• accessibility
• activity
• bookmarks
• brute force
• comments
• contacts
• deck
• deleted files
• external storage
• federation
• file sharing
• files right click
• first run wizard
• full text search
• full text search bookmarks
• gallery
• issue template
• link editor
• log reader
• mail
• markdown editor
• mind map
• monitoring
• news
• nextcloud announcements
• notifications
• ownpad
• password policy
• pdf viewer
• polls
• share by mail
• support
• talk
• tasks
• text editor
• update notification
• versions
• video player

[ChristophWurst]

Okay, sorry for not being more specific. With extension I don't mean Nextcloud apps but browser extensions. Could you try with a fresh profile on Firefox or another browser like Chrome?

[artfulrobot]

Dang, you're right! With a fresh profile it doesn't happen. OK, this is clearly a local issue, sorry for taking up your time and many thanks for your work and support.

[ChristophWurst]

No worries ✌️

[artfulrobot]

For the sake of other googlers, it was the Privacy Badger extension that was generating the errors I saw.

[xaverfleer]

I think this is still a bug.

While the behavior is correct (JavaScript gets blocked by the addon), the error message is incorrect.
Expected Error Message: none
Actual Error Message: "Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”)."

[xaverfleer]

For the sake of other googlers, I oberved the same behavior with uMatrix addon.

[deoakshay]

I am still getting this error in the console, when trying to login to my gmail account

[quenenni]

I discovered that problem with all the v15.0.7 and v15.0.11 instances of NC I recently updated.
They were still working despite all these requests blocked by FF, except few ones that had lots of problems after the update.

Some resources are blocked by CSP in FF, but only in recent versions.
My collegea with v60.x doesn't have the problem, me with v69, I have it (and another collegea too).
No problem in chromium (Version 73.0.3683.75 (Developer Build) built on Debian 9.8, running on Debian 9.11 (64-bit)).

That was not a cache problem, not an add-on in FF, it was linked to the CSP policy returned by Nextcloud.

• even in a new FF profile, the problem persisted
• restarded nginx / php-fpm; emptied opcache, restarted redis

I fixed the problem by changing the policy header that Nextcloud is generating.
I modified the file lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php (line 407):

$policy = "default-src 'none';";

changed to:

$policy = "default-src 'self' 'unsafe-inline';";

Now everything's good.
But, tbh, I'm not sure if what I did didn't weaken the security too much.

I'll let experts judge it.

Edit: I was wrong with my solution. Check next post

[quenenni]

It seems I was wrong with my solution.
I guess too many tests in lots of directions can do that.

The problematic header comes from the 'useJsNonce' feature.

With it, the "script-src 'nonce-....' header is blocked by the CSP control in FF.

By commenting the block in lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php (line 413 -> 421)

/*          if(is_string($this->useJsNonce)) {
                $policy .= '\'nonce-'.base64_encode($this->useJsNonce).'\'';
                $allowedScriptDomains = array_flip($this->allowedScriptDomains);
                unset($allowedScriptDomains['\'self\'']);
                $this->allowedScriptDomains = array_flip($allowedScriptDomains);
                if(count($allowedScriptDomains) !== 0) {
                    $policy .= ' ';
                }
            }*/

and forcing the 'unsafe-inline' property of script-src by commeting the test on line 425

//          if($this->inlineScriptAllowed) {
                $policy .= ' \'unsafe-inline\'';
//          }

now it works.

[kesselb]

@quenenni https://github.com/nextcloud/server/issues/new?labels=bug%2C+0.+Needs+triage&template=Bug_report.md

[quenenni]

You're right.
This report was not about CSP but privacy badger.
My mistake. Sorry.

[ovk]

@quenenni , did you find a working solution to this issue?

I am getting the same problem on Firefox 69 (script blocked by CSP). Wonder why this issue is closed despite problem not being resolved.

[ChristophWurst]

Because it's not a problem of Nextcloud. The extension tries to modify the page in a way that is against the page's security rules.

[ainola]

I'm getting hit with this even without any addons. I started a fresh firefox profile and even got CSP errors on the login page

I'm using nginx and a configuration nearly identical to the recommended config from the docs. Nextcloud is version 17 and Firefox version 70.

[ovk]

Info for anyone who is still seeing requests blocked by CSP in Firefox (even without any extensions) - this appears to be a bug in Firefox.

Details are here https://bugzilla.mozilla.org/show_bug.cgi?id=1591807

[quenenni]

@ovk, did you try my solution ? (modifying the file lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php )

If it's a plugin that generates that error, I don't know which one.
But everytime I tried to update or create a new instance of a Nextcloud (15 & 16), I had that same problem, sometimes with few apps (but always at least the classical apps)

Having so few times at the moment, I didn't check more to see what's causing it.
Hopefully, in a near future.

[quenenni]

Info for anyone who is still seeing requests blocked by CSP in Firefox (even without any extensions) - this appears to be a bug in Firefox.

Details are here https://bugzilla.mozilla.org/show_bug.cgi?id=1591807

Nice catch. Hopefully this will be fixed soon.

[sebastiansterk]

I have the same issue in Firefox and Chrome. I'm using the Nextcloud Docker Image (latest one and already tried it with v16, same issue)

[ovk]

@sebastiansterk this is surprising, as I only observed this bug in the Firefox. I'd suggest you to try the minimal example that I posted in the bug description with FF and Chrome (with no addons), and see if there is any difference.

[gnikyt]

@quenenni Tried your solution, although the CSP errors are gone from console, the JS and CSS is not applied to the site at all and page still takes over a minute to load, was that the case for you?

[quenenni]

@ohmybrew Sorry but no. I didn't have a slow loading problem.
As soon as I applied the change and reloaded the page, everything was smooth.

What you can do, as the cache system in FF (and other browsers) are becoming a real pain in the a** and when testing something and it often makes impossible to know if the test was really done, is to try your NC without the cache.
Go on the Nc page, open the debugger (F12 by default), go to the network tab and select the option "Deactivate cache".
Keep the debugger open and reload the page to see if there is a difference.

[gnikyt]

@quenenni I actually ended up solving my issue. I turned loglevel to 0 in config and noticed during the slow page reload, it was spamming the NextCloud log saying server.scss was locked.

I had file locking on.

So I disabled file locking and memcache in config, refreshed the page and all was normal.

I re-enabled memcache (kept file locking off for now), refreshed, and all still good.

It appears the compiled css and js files got removed somehow, nextcloud tried to remake them but due to the filelock it ran into issues. I can see in the core directory now that all files are there for styling and js.