Skip to content

[Bug]: Content Security Policy (CSP) Error for preview-service-worker.js #39849

New issue
New issue
Closed
#39808
Closed
[Bug]: Content Security Policy (CSP) Error for preview-service-worker.js#39849
#39808
Labels
1. to developAccepted and waiting to be taken care of27-feedbackbug
@Xyaren

Description

@Xyaren
Xyaren
opened on Aug 13, 2023

⚠️ This issue respects the following points: ⚠️

Bug description

Chrome Browser Console throws error:

Refused to create a worker from 'https://nextcloud.mydomain.de/index.php/apps/files/preview-service-worker.js' because it violates the following Content Security Policy directive: "script-src 'nonce-aFNJRWFwcklWUlMvTVM5WDZxdnBtOEtyeWh4OVpzbHBGckh3NkpGeHk4OD06L0c1OEJOU0RiRk9IYVg1OGpzN2NycnZoa2xrZU51WWhmY216M3ZNMHVKaz0='". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

ConsoleLogger.js:59 [ERROR] files: SW registration failed:  
{
  "app": "files",
  "error": "DOMException: Failed to register a ServiceWorker: The provided scriptURL ('https://nextcloud.mydomain.de/index.php/apps/files/preview-service-worker.js') violates the Content Security Policy.",
  "code": 18,
  "message": "Failed to register a ServiceWorker: The provided scriptURL ('https://nextcloud.mydomain.de/index.php/apps/files/preview-service-worker.js') violates the Content Security Policy.",
  "name": "SecurityError",
  "level": 2,
  "uid": "tobi"
}

CSP Header value:
default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-UTBDelpjMTN0ZUZoOWtHZzROL0ZSUUNNcDVUVi9ZT1ArT21NeUUyU1hGOD06T2d6TEM0TThqS1pacmhDTGhMcndjSG5HLzlHMnJhekhrNUhQL2kvWEx3az0=';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' https://nominatim.openstreetmap.org/;media-src 'self';frame-src https://www.openstreetmap.org/ 'self';frame-ancestors 'self';form-action 'self'

Steps to reproduce

  1. Open homepage of nextcloud
  2. Observe error in console

Expected behavior

I expect no errors to appear in the console when navigating to nextcloud

Installation method

Community Docker image

Nextcloud Server version

27

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Nginx

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

{
    "system": {
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": 465,
        "mail_smtpsecure": "ssl",
        "mail_smtpauth": true,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.mydomain.de",
            "web"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "27.0.1.2",
        "overwrite.cli.url": "http:\/\/localhost",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "nc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "loglevel": 2,
        "theme": "",
        "updater.release.channel": "stable",
        "app_install_overwrite": [
            "camerarawpreviews",
            "files_external_gdrive",
            "files_external_onedrive",
            "social",
            "metadata"
        ],
        "default_phone_region": "DE",
        "memories.exiftool": "\/var\/www\/html\/custom_apps\/memories\/exiftool-bin\/exiftool-amd64-musl",
        "memories.vod.path": "\/var\/www\/html\/custom_apps\/memories\/exiftool-bin\/go-vod-amd64",
        "memories.index.mode": "3",
        "memories.index.path": "\/Media\/Fotos",
        "memories.gis_type": 1,
        "enabledPreviewProviders": [
            "OC\\Preview\\Image",
            "OC\\Preview\\Movie",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\TIFF"
        ],
        "preview_max_x": 1024,
        "preview_max_y": 1024
    }
}

List of activated Apps

Enabled:
  - activity: 2.19.0
  - admin_audit: 1.17.0
  - audioplayer: 3.4.0
  - bruteforcesettings: 2.7.0
  - camerarawpreviews: 0.8.2
  - circles: 27.0.1
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - contactsinteraction: 1.8.0
  - dav: 1.27.0
  - federatedfilesharing: 1.17.0
  - federation: 1.17.0
  - files: 1.22.0
  - files_antivirus: 5.2.1
  - files_automatedtagging: 1.17.0
  - files_external: 1.19.0
  - files_pdfviewer: 2.8.0
  - files_retention: 1.16.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - firstrunwizard: 2.16.0
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - memories: 5.2.1
  - metadata: 0.19.0
  - nextcloud_announcements: 1.16.0
  - notifications: 2.15.0
  - oauth2: 1.15.1
  - password_policy: 1.17.0
  - previewgenerator: 5.3.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - quota_warning: 1.17.0
  - recommendations: 1.6.0
  - related_resources: 1.2.0
  - serverinfo: 1.17.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - sociallogin: 5.4.3
  - support: 1.10.0
  - survey_client: 1.15.0
  - suspicious_login: 5.0.0
  - systemtags: 1.17.0
  - theming: 2.2.0
  - twofactor_backupcodes: 1.16.0
  - user_status: 1.7.0
  - viewer: 2.1.0
  - workflowengine: 2.9.0
Disabled:
  - breezedark: 26.0.0 (installed 26.0.0)
  - calendar: 4.4.4 (installed 4.4.4)
  - contacts: 5.3.2 (installed 5.3.2)
  - dashboard: 7.7.0 (installed 7.7.0)
  - encryption: 2.15.0
  - photos: 2.3.0 (installed 2.3.0)
  - text: 3.8.0 (installed 3.8.0)
  - twofactor_totp: 9.0.0
  - updatenotification: 1.17.0 (installed 1.17.0)
  - user_ldap: 1.17.0
  - weather_status: 1.7.0 (installed 1.7.0)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No response

Additional info

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    1. to developAccepted and waiting to be taken care of27-feedbackbug

    Type

    No type

    Projects

    Files to vue

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions