Server: Nextcloud beta to RC web-updater CSP issue

Created on 22 Nov 2018  ·  10Comments  ·  Source: nextcloud/server

Steps to reproduce

  1. Go to admin area and click "Open Updater"
  2. Loads the Updater and replaces the current content of the page but with initial CSP still in place.
    default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-BLUBB';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';frame-src https://office.catchit.xyz
  3. Error in console about eval
    Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).

Expected behaviour

No CSP issue

Actual behaviour

Without execution of loaded JS the "Start update" button does nothing.

Server configuration

Web server: Nginx

PHP version: 7.3

Nextcloud version: (see Nextcloud admin page) 15.0.0 beta 2

Edit: Maybe a duplicate of https://github.com/nextcloud/server/issues/12497 - searched for CSP and eval and found nothing.

bug high
Source
picture xf-

Most helpful comment

I will look into this tomorrow. Thanks for the feedback. We totally missed this one.

picture MorrisJobke on 22 Nov 2018
🎉1 👍1

All 10 comments

Same here with Apache + PHP7.2.

MichaIng picture MichaIng on 22 Nov 2018

@MichaIng yes after writing the issue the github search included a link to the issue (because your comment was related). I searched and also looked into milestone (is a blocker for me) and found nothing. The problem is no new page is loaded (Take a look at URL) = old URL and

Ai. Yes we might need to losen the CSP for the updater page

rullzer picture rullzer on 22 Nov 2018
👍1

Update itself has no CSP. Because you stay on admin/overview the CSP of admin/overview breaks the updater. Maybe open a new tab or reopen the site should fix it and avoid the Vue router with old CSP.

xf- picture xf- on 22 Nov 2018

I will look into this tomorrow. Thanks for the feedback. We totally missed this one.

MorrisJobke picture MorrisJobke on 22 Nov 2018
🎉1 👍1

This is due to an eval() in the updater notification app:

https://github.com/nextcloud/server/blob/e7d565178131510c5081fe7a54c92d59d4ea13c3/apps/updatenotification/src/components/root.vue#L270

@rullzer @nickvergessen What to do here? Should we try to add the script elements inline via HTML tags? Or should we whitelist eval on the page once an update is detected?

MorrisJobke picture MorrisJobke on 26 Nov 2018

Should we try to add the script elements inline via HTML tags?

I tested and it doesn't work. There is another creepy way: parse the <script> tags, send them to the server as "here serve this on the next request I will issue" and then insert a "

Related issues

ThomasLeister picture ThomasLeister  ·  3Comments
ChristophWurst picture ChristophWurst  ·  3Comments
MorrisJobke picture MorrisJobke  ·  3Comments
ghost picture ghost  ·  3Comments
dl5rcw picture dl5rcw  ·  3Comments