Server: Icons are not loading in 'Activity' tab. Caused by 'Content Security Policy'
Whe clicking on 'Activity' no images are loading:
Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: <URL> <URL>".
Steps to reproduce
- Install latest version of Nextcloud using docker image (with apache)
- Use Nginx as a reverse proxy
Expected behaviour
Pictures should load :)
Actual behaviour
Pictures aren't loading in "Activity"
Server configuration
Operating system: Debian 9
Web server: Nginx
Database: MariaDB
PHP version: ? (Default from Docker image)
Nextcloud version: 15.0.2
Updated from an older Nextcloud/ownCloud or fresh install: fresh install
Where did you install Nextcloud from: Docker
Signing status:
Signing status
No errors have been found.
List of activated apps:
App list
Enabled:
- accessibility: 1.1.0
- activity: 2.8.2
- bruteforcesettings: 1.3.0
- cloud_federation_api: 0.1.0
- comments: 1.5.0
- dav: 1.8.1
- federatedfilesharing: 1.5.0
- federation: 1.5.0
- files: 1.10.0
- files_pdfviewer: 1.4.0
- files_rightclick: 0.11.0
- files_sharing: 1.7.0
- files_texteditor: 2.7.0
- files_trashbin: 1.5.0
- files_versions: 1.8.0
- files_videoplayer: 1.4.0
- firstrunwizard: 2.4.0
- group_everyone: 0.1.1
- groupfolders: 2.0.2
- logreader: 2.0.0
- lookup_server_connector: 1.3.0
- nextcloud_announcements: 1.4.0
- notes: 2.5.1
- notifications: 2.3.0
- oauth2: 1.3.0
- password_policy: 1.5.0
- provisioning_api: 1.5.0
- serverinfo: 1.5.0
- sharebymail: 1.5.0
- support: 1.0.0
- survey_client: 1.3.0
- systemtags: 1.5.0
- tasks: 0.9.8
- theming: 1.6.0
- twofactor_backupcodes: 1.4.1
- unsplash: 1.1.3
- updatenotification: 1.5.0
- workflowengine: 1.5.0
Disabled:
- admin_audit
- encryption
- files_external
- gallery
- user_ldap
Nextcloud configuration:
Config report
{
"system": {
"htaccess.RewriteBase": "\/",
"memcache.local": "\\OC\\Memcache\\APCu",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": {
"0": "nextcloud",
"2": "cloud.stadtkapelle-oehringen.de"
},
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "15.0.2.0",
"overwrite.cli.url": "http:\/\/nextcloud",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"mail_smtpmode": "smtp",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_sendmailmode": "smtp",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "25",
"mail_from_address": "***REMOVED SENSITIVE VALUE***"
}
}
Are you using external storage, if yes which one: no
Are you using encryption: no
Are you using an external user-backend, if yes which one: no
Client configuration
Browser: Google Chrome 72.0.3626.81 (Official Build) beta (64-bit)
Operating system: Antergos Linux
Logs
Web server error log
Web server error log
nginx | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /apps/activity/img/activity.svg?v=846cc9aa HTTP/2.0" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /settings/img/admin.svg?v=846cc9aa HTTP/2.0" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /core/js/contactsmenu_templates.js?v=846cc9aa-17 HTTP/2.0" 200 1463 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /apps/files/img/app.svg?v=846cc9aa HTTP/2.0" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /core/js/files/client.js?v=846cc9aa-17 HTTP/2.0" 200 5595 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /apps/notifications/js/notifications.js?v=846cc9aa-17 HTTP/2.0" 200 45381 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /core/vendor/core.js?v=846cc9aa-17 HTTP/2.0" 200 281922 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /avatar/SimGie/32?v=1 HTTP/2.0" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/2.0" 200 74 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /ocs/v2.php/apps/activity/api/v2/activity/all?format=json&previews=true&since=0 HTTP/2.0" 200 35832 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
nginx | ***REMOVED SENSITIVE VALUE*** - - [31/Jan/2019:01:32:35 +0000] "GET /apps/files_rightclick/ajax/applications HTTP/2.0" 200 599 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"
Nextcloud log (data/nextcloud.log)
Nextcloud log
See Pastebin: https://pastebin.com/pZw19wUH
Browser log
Browser log
Refused to load the image 'http://cloud.***REMOVED SENSITIVE VALUE***.de/apps/activity/img/activity-dark.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".
(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***.de/core/img/actions/user.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".
(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***.de/core/img/places/contacts.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".
(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***.de/core/img/actions/star-dark.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".
(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/core/img/places/files.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".
(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/core/img/actions/password.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".
(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/core/img/actions/share.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".
(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/core/img/places/calendar.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".
(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/core/img/actions/checkmark.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".
(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/core/img/actions/comment.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".
(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/apps/files/img/add-color.svg' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".
(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/core/preview.png?file=/Bilder/nasa-89125-unsplash.jpg&c=c7542b8db027109128b9e5bb6533a8eb&x=150&y=150' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".
(index):1 Refused to load the image 'http://***REMOVED SENSITIVE VALUE***/core/preview.png?file=/Bilder/albert-dehon-474237-unsplash.jpg&c=e55a8989c7ae6ac58a5e54d21a586cd3&x=150&y=150' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: https://source.unsplash.com https://images.unsplash.com".
Aragur
👍2
All 4 comments
Okay it's working after using this solution: https://help.nextcloud.com/t/nextcloud-wont-load-any-mixed-content/13565/2
Maybe this should be added to the docker docs?
Aragur
on 31 Jan 2019
❤2
👍2
This issuse still exists on version 16.0.1. Any solution?
ettingshausen
on 5 Jun 2019
marius-wieschollek/passwords#47
After execute the following command, now it works for me.
docker exec --user www-data nextcloud php occ config:system:set overwriteprotocol --value="https"
ettingshausen
on 5 Jun 2019
👍12
🚀1
Ok, make sure you're in https mode! :)
skjnldsv
on 30 Oct 2019
Was this page helpful?
0 / 5 - 0 ratings
Related issues
MariusBluem
路
3Comments
blackcrack
路
3Comments
juliushaertl
路
3Comments
MorrisJobke
路
3Comments
williambargent
路
3Comments
Most helpful comment
After execute the following command, now it works for me.
docker exec --user www-data nextcloud php occ config:system:set overwriteprotocol --value="https"