CSP nonce by default

[rullzer]

In #10205 I tried to always add the CSP nonce.

As most browsers if unsafe-inline is there and a nonce will ignore the unsafe-inline. This is the CSPv3 backwards compatibility idea.

However this seems to break on Edge. As edge doesn't properly parse the nonce on external resources.

We should investigate how to enable the nonce on more browsers.

[MorrisJobke]

We should investigate how to enable the nonce on more browsers.

Safari: #11966

[MichaIng]

@rullzer
Not sure, if it's related, but since I updated to NC15.0.0 Beta 2, many images (various icons on all NC pages) are blocked by CSP with: Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval';" (Apache)

I guess it's related to this topic, but I don't understand enough to know how to fix best. Simply removing the CSP header works, which is fine for me now, but would be great, after work on this is done/NC15 release to have e.g. some page on docs about the minimum CSP entries required to show all Nextcloud core content.

This is on Opera developer browser v58, but should be not related. I am open for testing/log reports, in case.

[rullzer]

You should not set your own csp headers. Nextcloud does this all automatically.

[MichaIng]

@rullzer
Ah okay, makes sense then.

But if I want to set my own CSP headers globally for other/own websites, is it possible to do this without affecting the ones from Nextcloud? Perhaps Header always set Content-Security-Policy "" within Nextcloud vhost/location config to unset global headers first?

EDIT:

Header unset Content-Security-Policy
Header always unset Content-Security-Policy

[szaimen]

I'd vote for closing this now that Edge was superseded by Chromium Edge.

[MichaIng]

I guess this means to re-open this issue for discussion, doesn't it?

Currently the nonce is still only used based on a whitelist:

• https://github.com/nextcloud/server/blob/215aef3/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php#L74-L76
• https://github.com/nextcloud/server/blob/215aef3/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php#L80-L95

If compatibility with old Microsoft Edge is not required, then #10205 could be reattempted, switching to a blacklist. But there are a lot of browsers out there, including the mobile variants, so much to test 🙂.