Server: Notification URLs should get updated when the nextcloud URL changes (http -> https or other domain) to prevent triggering CSP errors
Steps to reproduce
- current nextcloud:apache docker container (behind a traefik proxy for https)
- Don't configure
'overwriteprotocol' => 'https'and enable CSP - Share a file from another cloud
- Set
'overwriteprotocol' => 'https'in the config file
(Hopefully that's it)
Expected behaviour
The links in the notification should the new URL with https or (better?) relative URLs
Actual behaviour
- The share icon gets loaded over http which can be fixed by setting
overwriteprotocoltohttps - The accept and decline buttons still link to the http:// version of the site, even after changing
overwriteprotocoltohttps. - This happens because the notification URLs are generated at the time the file gets shared and saved in a JSON string in
notifications.actionsand thus not updated after the nextcloud URL changes (for examplehttp://->https://or any other domain change).
Server configuration
Container version: Latest nextcloud:apache
Nextcloud version: 15.0.7.0
Updated from an older Nextcloud/ownCloud or fresh install: Updated regularly
Where did you install Nextcloud from: Docker hub
Signing status:
Signing status
No errors have been found.
List of activated apps:
App list
Enabled:
- accessibility: 1.1.0
- activity: 2.8.2
- admin_audit: 1.5.0
- audioplayer: 2.6.1
- bookmarks: 0.17.0
- bruteforcesettings: 1.3.0
- calendar: 1.6.4
- cloud_federation_api: 0.1.0
- comments: 1.5.0
- contacts: 3.1.0
- dav: 1.8.1
- federatedfilesharing: 1.5.0
- federation: 1.5.0
- files: 1.10.0
- files_external: 1.6.0
- files_pdfviewer: 1.4.0
- files_sharing: 1.7.0
- files_texteditor: 2.7.0
- files_trashbin: 1.5.0
- files_versions: 1.8.0
- files_videoplayer: 1.4.0
- firstrunwizard: 2.4.0
- gallery: 18.2.0
- logreader: 2.0.0
- lookup_server_connector: 1.3.0
- nextcloud_announcements: 1.4.0
- notes: 2.5.1
- notifications: 2.3.0
- oauth2: 1.3.0
- password_policy: 1.5.0
- provisioning_api: 1.5.0
- serverinfo: 1.5.0
- sharebymail: 1.5.0
- support: 1.0.0
- survey_client: 1.3.0
- systemtags: 1.5.0
- theming: 1.6.0
- twofactor_backupcodes: 1.4.1
- updatenotification: 1.5.0
- workflowengine: 1.5.0
Disabled:
- encryption
- files_markdown
- gpxedit
- gpxpod
- social
- tasks
- user_ldap
Nextcloud configuration:
Config report
{
"system": {
"htaccess.RewriteBase": "\/",
"memcache.local": "\\OC\\Memcache\\APCu",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"cloud.domain.com"
],
"filesystem_check_changes": 1,
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"overwrite.cli.url": "https:\/\/cloud.domain.com",
"overwriteprotocol": "https",
"dbtype": "mysql",
"version": "15.0.7.0",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"theme": "",
"loglevel": 2,
"maintenance": false,
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "smtp",
"mail_smtpauthtype": "PLAIN",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpsecure": "ssl",
"mail_smtpauth": 1,
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "465"
}
}
Are you using external storage, if yes which one: none
Are you using encryption: no
Are you using an external user-backend, if yes which one: none
Logs
Browser log
Browser log
notifications.js?v=4902f966-12:7 Refused to connect to 'http://mycloud.url/ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending/7' because it violates the following Content Security Policy directive: "connect-src 'self'".
MyIgel
All 8 comments
If you have any suggestions how I can get more details / debug it more I am happy to help. Currently I am lost in the code and don't know where to search to debug this problem
MyIgel
on 15 Apr 2019
Should work if you set trusted proxies: https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=trusted%20proxies#defining-trusted-proxies
kesselb
on 15 Apr 2019
Sadly no, the result is the same
MyIgel
on 15 Apr 2019
You share a file from another instance to your instance right? If you do the same with a demo instance (https://demo.nextcloud.com/) does it work then?
kesselb
on 15 Apr 2019
When I share a file to the demo instance the demo instance works as expected so it is definitely something on my setup. I'm just unable to debug it further because I don't know where to start.
MyIgel
on 15 Apr 2019
Digging further on this topic:
https://mycloud.url/ocs/v2.php/apps/notifications/api/v2/notifications returns
{ocs: {meta: {status: "ok", statuscode: 200, message: "OK"},鈥}
ocs: {meta: {status: "ok", statuscode: 200, message: "OK"},鈥
data: [{notification_id: 97, app: "files_sharing", user: "username", datetime: "2019-04-15T11:46:53+00:00",鈥]
0: {notification_id: 97, app: "files_sharing", user: "username", datetime: "2019-04-15T11:46:53+00:00",鈥
actions: [{label: "Accept",鈥, {label: "Decline",鈥]
0: {label: "Accept",鈥
label: "Accept"
link: "http://mycloud.url/ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending/7"
primary: true
type: "POST"
1: {label: "Decline",鈥
label: "Decline"
link: "http://mycloud.url/ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending/7"
primary: false
type: "DELETE"
[...]
So the question is: Where do that URLs get generated? That part seems to ignore the 'overwriteprotocol' => 'https', setting.
MyIgel
on 22 May 2019
TLDR:
The notification URLs are generated at the time the file gets shared and saved in a JSON string in notifications.actions and thus not updated after the nextcloud URL changes (for example http:(/ -> https:// or any domain change).
I'v updated the issue decription accordingly.
After digging even deeper I found the notifications table that stores the notifications permanently.
This one has a column actions where a JSON is stored wich contained the http:// url so all my debugging tries where useless because it gets not generated on request but only when the file gets initially shared and I only searched the database for http://mycloud.url instead of http:\/\/mycloud.url -> dafuq? 0o
So this is imho a problem by design because when the nextcloud url change any old URLs are invalid -> the links should be generated on the fly. Is there any reason this component is designed in that way?
MyIgel
on 22 May 2019
Had similar issue because of this ...
I am using nextcloud docker image behind traefik reverse proxy and while trying to authenticate desktop clients, the authentication was trying to communicate to http://myclouddomain.bla instead of https://myclouddomain.bla and CSP was blocking therefore got unable to login the desktop clients.
Edited config.php and added 'overwriteprotocol' => 'https' problem got solved ... is there a way to parse this as environment variable?
4s3ti
on 7 Nov 2019
Related issues
mfechner
路
3Comments
dl5rcw
路
3Comments
blackcrack
路
3Comments
ThomasLeister
路
3Comments
j-ed
路
3Comments