Content-Security-Policy: Cannot add script-src directive 'self' #16243
Comments
janis91
added
bug
0. Needs triage
|
Is this intended and if so, why? |
|
The 'self' predicate is explicitely excluded here which is really strange. I use Nexcloud 17 and just by debuging fresh installed nexcloud in Firefox you see, that even the core javascript files are not loaded (because of CSP). I do not understand reasoning behing this. |
|
BTW I can confirm this bug, so please @janis91 releave the triage tag. |
|
It is intented. And it is not a bug. You should add the nonce (which gets added automatically if you do the loadScript stuff) if the browser supports it. |
|
Ping @janis91 still an issue? |
|
Well I think it's an issue because otherwise it's impossible to use importScripts for a web worker. |
|
Well... we don't have any webworkes right now... |
|
Is this Issue still valid? If not, please close this issue. Thanks! :) |
|
This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions. |
ghost
added
the
Steps to reproduce
Developing my app that loads a web worker with ìmportScripts()` to process things in the browser with WebAssembly, I have to add script-src directive 'self', because importScripts does not allow to add nonce in any way. I am currently doing it like this:
Expected behaviour
The script-src should have 'nonce-' AND 'self' in it.
Actual behaviour
The script-src only contains the nonce value.
For everything else (for example if I add 'unsafe-eval' or something else to script-src) it works. Only 'self' is not possible.
Server configuration
PHP version: 7.2
Nextcloud version: 16
Updated from an older Nextcloud/ownCloud or fresh install: fresh install
What is the matter here?
The text was updated successfully, but these errors were encountered: