Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Icons are not loading in 'Activity' tab. Caused by 'Content Security Policy' #13934

Closed
Aragur opened this issue Jan 31, 2019 · 4 comments
Closed

Icons are not loading in 'Activity' tab. Caused by 'Content Security Policy' #13934

Aragur opened this issue Jan 31, 2019 · 4 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug

Comments

@Aragur
Copy link

Aragur commented Jan 31, 2019
edited

Whe clicking on 'Activity' no images are loading:

Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: <URL> <URL>".

example_image

Steps to reproduce

  1. Install latest version of Nextcloud using docker image (with apache)
  2. Use Nginx as a reverse proxy

Expected behaviour

Pictures should load :)

Actual behaviour

Pictures aren't loading in "Activity"

Server configuration

Operating system: Debian 9

Web server: Nginx

Database: MariaDB

PHP version: ? (Default from Docker image)

Nextcloud version: 15.0.2

Updated from an older Nextcloud/ownCloud or fresh install: fresh install

Where did you install Nextcloud from: Docker

Signing status:

Signing status 
No errors have been found.

List of activated apps:

App list 
Enabled:
  - accessibility: 1.1.0
  - activity: 2.8.2
  - bruteforcesettings: 1.3.0
  - cloud_federation_api: 0.1.0
  - comments: 1.5.0
  - dav: 1.8.1
  - federatedfilesharing: 1.5.0
  - federation: 1.5.0
  - files: 1.10.0
  - files_pdfviewer: 1.4.0
  - files_rightclick: 0.11.0
  - files_sharing: 1.7.0
  - files_texteditor: 2.7.0
  - files_trashbin: 1.5.0
  - files_versions: 1.8.0
  - files_videoplayer: 1.4.0
  - firstrunwizard: 2.4.0
  - group_everyone: 0.1.1
  - groupfolders: 2.0.2
  - logreader: 2.0.0
  - lookup_server_connector: 1.3.0
  - nextcloud_announcements: 1.4.0
  - notes: 2.5.1
  - notifications: 2.3.0
  - oauth2: 1.3.0
  - password_policy: 1.5.0
  - provisioning_api: 1.5.0
  - serverinfo: 1.5.0
  - sharebymail: 1.5.0
  - support: 1.0.0
  - survey_client: 1.3.0
  - systemtags: 1.5.0
  - tasks: 0.9.8
  - theming: 1.6.0
  - twofactor_backupcodes: 1.4.1
  - unsplash: 1.1.3
  - updatenotification: 1.5.0
  - workflowengine: 1.5.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - gallery
  - user_ldap

Nextcloud configuration:

Config report 
{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "nextcloud",
            "2": "cloud.stadtkapelle-oehringen.de"
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "15.0.2.0",
        "overwrite.cli.url": "http:\/\/nextcloud",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***"
    }
}

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Google Chrome 72.0.3626.81 (Official Build) beta (64-bit)
Operating system: Antergos Linux

Logs

Web server error log

Web server error log 
nginx    | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /apps/activity/img/activity.svg?v=846cc9aa HTTP/2.0" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx    | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /settings/img/admin.svg?v=846cc9aa HTTP/2.0" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx    | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /core/js/contactsmenu_templates.js?v=846cc9aa-17 HTTP/2.0" 200 1463 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx    | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /apps/files/img/app.svg?v=846cc9aa HTTP/2.0" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx    | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /core/js/files/client.js?v=846cc9aa-17 HTTP/2.0" 200 5595 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx    | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /apps/notifications/js/notifications.js?v=846cc9aa-17 HTTP/2.0" 200 45381 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx    | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /core/vendor/core.js?v=846cc9aa-17 HTTP/2.0" 200 281922 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx    | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /avatar/SimGie/32?v=1 HTTP/2.0" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx    | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/2.0" 200 74 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx    | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /ocs/v2.php/apps/activity/api/v2/activity/all?format=json&previews=true&since=0 HTTP/2.0" 200 35832 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx    | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /apps/files_rightclick/ajax/applications HTTP/2.0" 200 599 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"

Nextcloud log (data/nextcloud.log)

Nextcloud log See Pastebin: https://pastebin.com/pZw19wUH

Browser log

Browser log 
Refused to load the image 'http://cloud.***REMOVED SENSITIVE VALUE***.de/apps/activity/img/activity-dark.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".

(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***.de/core/img/actions/user.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".

(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***.de/core/img/places/contacts.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".

(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***.de/core/img/actions/star-dark.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".

(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/core/img/places/files.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".

(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/core/img/actions/password.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".

(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/core/img/actions/share.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".

(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/core/img/places/calendar.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".

(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/core/img/actions/checkmark.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".

(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/core/img/actions/comment.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".

(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/apps/files/img/add-color.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".

(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/core/preview.png?file=/Bilder/nasa-89125-unsplash.jpg&c=c7542b8db027109128b9e5bb6533a8eb&x=150&y=150' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".

(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/core/preview.png?file=/Bilder/albert-dehon-474237-unsplash.jpg&c=e55a8989c7ae6ac58a5e54d21a586cd3&x=150&y=150' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".
@Aragur Aragur added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels Jan 31, 2019
@Aragur Aragur changed the title Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: <URL> <URL>". Icons are not loading in 'Activity' tab. Caused by 'Content Security Policy' Jan 31, 2019
@Aragur
Copy link
Author

Aragur commented Jan 31, 2019

Okay it's working after using this solution: https://help.nextcloud.com/t/nextcloud-wont-load-any-mixed-content/13565/2
Maybe this should be added to the docker docs?

@ettingshausen
Copy link

This issuse still exists on version 16.0.1. Any solution?

@ettingshausen
Copy link

ettingshausen commented Jun 5, 2019
edited

marius-wieschollek/passwords#47

After execute the following command, now it works for me.
docker exec --user www-data nextcloud php occ config:system:set overwriteprotocol --value="https"

@skjnldsv
Copy link
Member

Ok, make sure you're in https mode! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ettingshausen @Aragur @skjnldsv