Nextcloud script blocked by CSP
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: damienhardy.bal+github, Unassigned, NeedInfo)
Details
Attachments
(1 file)
|
164.28 KB,
image/jpeg
|
Details |
EHZ7f36WsAAIR8W.jpeg
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
Steps to reproduce:
Installed Nextcloud 16.0.5 (up to date) on mutualized hosting by OVH.
Actual results:
when displaying home page : "/nextCloud/index.php/apps/files/" script resources are block by CSP (according to network web dev tools). (cf screenshot)
And I cannot add exception via url bar tools.
<script> elements seams having correct nonce content in HTML page presenting CSP header.
Tested olso in safe-mode firefox
Expected results:
Non blocking inline <script> resource or add a way to add exception.
|
||
Comment 1•5 years ago
|
||
The priority flag is not set for this bug.
:wleung, could you have a look please?
For more information, please visit auto_nag documentation.
Christoph, please take a look and set the proper priority. thanks!
|
||
Comment 3•5 years ago
|
||
(In reply to Wennie from comment #2)
Christoph, please take a look and set the proper priority. thanks!
Moving this one into dom:security and triage in our weekly meeting tomorrow.
|
||
Comment 4•5 years ago
|
||
Is the page actually broken? Or is it just reporting failures because we're not using the nonce for the preload check. See bug 1591807
|
|
||
Updated•5 years ago
|
Description
•