Server: False Referrer-Policy warning after upgrade to Nextcloud 15

Created on 18 Nov 2018  Â·  13Comments  Â·  Source: nextcloud/server

Steps to reproduce

  1. Log in to your nextcloud with an account with administrative privileges
  2. Click on "Overview"

Expected behaviour

No warnings are shown (like in 14.03 pre-upgrade)

Actual behaviour

Referrer-Policy warning shows up, although it has been set to "strict-origin".

This false warning has also been shown with Beta 1 but not for 14.03.
Changing the configuration to the newly implemented same-origin does not make a difference for Beta 2 but for 14.03 since

Server configuration

Operating system: Ubuntu 16.04.5

Web server: Apache/2.4.18

Database: 10.0.36-MariaDB

PHP version: 7.0.32-0ubuntu0.16.04.1

Nextcloud version: 15.0.0 beta 2

Updated from an older Nextcloud/ownCloud or fresh install: Updated

Where did you install Nextcloud from:

List of activated apps:


App list

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder
Enabled:
  - accessibility: 1.1.0
  - activity: 2.8.2
  - bruteforcesettings: 1.2.0
  - cloud_federation_api: 0.1.0
  - comments: 1.5.0
  - dav: 1.7.2
  - federatedfilesharing: 1.5.0
  - federation: 1.5.0
  - files: 1.10.0
  - files_pdfviewer: 1.4.0
  - files_sharing: 1.7.0
  - files_texteditor: 2.7.0
  - files_trashbin: 1.5.0
  - files_versions: 1.8.0
  - files_videoplayer: 1.4.0
  - firstrunwizard: 2.4.0
  - gallery: 18.2.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.3.0
  - nextcloud_announcements: 1.4.0
  - notifications: 2.3.0
  - oauth2: 1.3.0
  - password_policy: 1.5.0
  - provisioning_api: 1.5.0
  - serverinfo: 1.5.0
  - sharebymail: 1.5.0
  - survey_client: 1.3.0
  - systemtags: 1.5.0
  - theming: 1.6.0
  - twofactor_backupcodes: 1.4.1
  - updatenotification: 1.5.0
  - workflowengine: 1.5.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - support
  - user_external
  - user_ldap
</details>

**Nextcloud configuration:**
<details>
<summary>Config report</summary>

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or

Insert your config.php content here.
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)
{
"system": {
"instanceid": "REMOVED SENSITIVE VALUE",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
XXXXXX"
],
"datadirectory": "REMOVED SENSITIVE VALUE",
"overwrite.cli.url": "httpsXXXX",
"htaccess.RewriteBase": "\/",
"dbtype": "mysql",
"version": "15.0.0.6",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"memcache.local": "\OC\Memcache\APCu",
"mail_smtpmode": "sendmail",
"mail_smtpauthtype": "LOGIN",
"mail_from_address": "REMOVED SENSITIVE VALUE",
"mail_domain": "REMOVED SENSITIVE VALUE",
"updater.release.channel": "beta",
"skeletondirectory": "\/var\/www\/default-files",
"maintenance": false,
"loglevel": 2,
"theme": "",
"updater.secret": "REMOVED SENSITIVE VALUE"
}
}

Are you using external storage, if yes which one: local

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Firefox 63.0

Operating system: Ubuntu 18.04.01

bug
Source
picture Nils160988

Most helpful comment

This issue also shows up on another instance after upgrade from 14.03 to 14.04.

picture Nils160988 on 22 Nov 2018
👍5

All 13 comments

GitMate.io thinks possibly related issues are https://github.com/nextcloud/server/issues/4908 (Problem upgrading NextCloud), https://github.com/nextcloud/server/issues/11202 (Nextcloud 14 Upgrade issue. ), https://github.com/nextcloud/server/issues/5599 (Contacts duplicate after upgrade to Nextcloud 12.0), https://github.com/nextcloud/server/issues/12507 (App Page not available after Upgrade to 15 Beta 2), and https://github.com/nextcloud/server/issues/12497 (Update with updater from Nextcloud 15 Beta 1 to Beta 2 not possible).

nextcloud-bot picture nextcloud-bot on 18 Nov 2018

This issue also shows up on another instance after upgrade from 14.03 to 14.04.

Nils160988 picture Nils160988 on 22 Nov 2018
👍5

Just upgraded to 14.04 and found this warning. Once I commented it out from my vhost file, the warning went away:

Apache/2.4.25 (Debian)

# <IfModule mod_headers.c>
#Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
#Header always set Referrer-Policy "no-referrer"
# </IfModule>

I've left the defaults intact in the NextCloud .htaccess:

 grep -ni referrer .htaccess
19:    Header set Referrer-Policy "no-referrer"

Perhaps having both caused a conflict?

xxKeith20xx picture xxKeith20xx on 22 Nov 2018

I had this issue as well after upgrading from 14.03 to 14.04. And it was fixed for me as well by removing one of the header directives (either the one in my sites.conf or the one in .htaccess).

While inspecting the issue I found out that setting the directives in two places causes Apache to send the header twice. So Nextcloud probably gets confused when that header is present multiple times.

Scindix picture Scindix on 26 Nov 2018
👍1

I can confirm that the behavior has been introduced for 14.04 and persists for 15 RC1.

Nils160988 picture Nils160988 on 27 Nov 2018

Can confirm this is an issue on Nextcloud 14.04 as well.

ncodeyx picture ncodeyx on 29 Nov 2018

I can confirm @Scindix finding. Identical header settings on two different locations (apache conf file /.htaccess) was causing the trouble.

m1d1 picture m1d1 on 10 Dec 2018

See also https://github.com/nextcloud/documentation/pull/674 and #8207

J0WI picture J0WI on 11 Dec 2018

This is also true for stable 14.0.6 release. Referrer policy is set to no-referrer. The website Security Headers correctly identifies the referrer policy has been configured, but "Security & setup warnings" warning from nextcloud incorrectly reports that referrer policy is not set.

sruckh picture sruckh on 16 Jan 2019

As I understand it now, it is no longer recommended to configure the referrer policy in the apache-config (according to the Nextcloud 15 docs) because the htaccess takes care of it.

Is this correct? Then this issue should be closed I think.

Nils160988 picture Nils160988 on 9 Mar 2019

In my particular case I am running Lighttpd with now, nextcloud stable version 15.0.5, so the .htaccess would not help. The warning, The "Referrer-Policy" HTTP header is still displayed on the Settings->Administration->Overview Screen.

sruckh picture sruckh on 9 Mar 2019

Header is set by nextcloud. If you set the header with your lighttpd remove it there.

kesselb picture kesselb on 9 Mar 2019

I can confirm that now removing the header from the lighttpd .conf file does indeed remove the warning. Thank You.

sruckh picture sruckh on 9 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

blackcrack picture blackcrack  Â·  3Comments
MorrisJobke picture MorrisJobke  Â·  3Comments
rullzer picture rullzer  Â·  3Comments
dl5rcw picture dl5rcw  Â·  3Comments
brylie picture brylie  Â·  3Comments