Skip to content

CSP blocked loading resource at inline script-src error in Firefox. #12724

Description

@artfulrobot

Steps to reproduce

Load the main nextcloud page. (i.e. All Files)

Expected behaviour

Page to load without errors in console.

Actual behaviour

Get this error in Firefox's web console: (Firefox 64 https://whatismybrowser.com/w/DSQGWHK)

Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src").

Nb. this does not happen in Chromium.

Server configuration detail

Operating system: Linux 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64

Webserver: Apache/2.4.25 (Debian) (apache2handler)

Database: mysql 10.1.26

PHP version:

7.0.30-0+deb9u1
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, mysqlnd, PDO, xml, bz2, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, json, exif, mcrypt, mysqli, pdo_mysql, Phar, posix, readline, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache, xdebug

Nextcloud version: 14.0.4 - 14.0.4.2

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status

Array
(
)

List of activated apps
Enabled:
 - accessibility: 1.0.1
 - activity: 2.7.0
 - bookmarks: 0.14.2
 - bookmarks_fulltextsearch: 1.0.0
 - bruteforcesettings: 1.2.0
 - cloud_federation_api: 0.0.1
 - comments: 1.4.0
 - contacts: 2.1.7
 - dav: 1.6.0
 - deck: 0.5.0
 - federatedfilesharing: 1.4.0
 - federation: 1.4.0
 - files: 1.9.0
 - files_external: 1.5.0
 - files_linkeditor: 1.0.7
 - files_markdown: 2.0.5
 - files_mindmap: 0.0.10
 - files_pdfviewer: 1.3.2
 - files_rightclick: 0.8.4
 - files_sharing: 1.6.2
 - files_texteditor: 2.6.0
 - files_trashbin: 1.4.1
 - files_versions: 1.7.1
 - files_videoplayer: 1.3.0
 - firstrunwizard: 2.3.0
 - fulltextsearch: 1.1.0
 - gallery: 18.1.0
 - issuetemplate: 0.4.0
 - logreader: 2.0.0
 - lookup_server_connector: 1.2.0
 - mail: 0.11.0
 - news: 13.0.3
 - nextcloud_announcements: 1.3.0
 - notes: 2.5.0
 - notifications: 2.2.1
 - oauth2: 1.2.1
 - ownpad: 0.6.8
 - password_policy: 1.4.0
 - polls: 0.8.3
 - provisioning_api: 1.4.0
 - serverinfo: 1.4.0
 - sharebymail: 1.4.0
 - spreed: 4.0.1
 - support: 1.0.0
 - survey_client: 1.2.0
 - systemtags: 1.4.0
 - tasks: 0.9.8
 - twofactor_backupcodes: 1.3.1
 - updatenotification: 1.4.1
 - workflowengine: 1.4.0
Disabled:
 - admin_audit
 - encryption
 - theming
 - user_external
 - user_ldap

Configuration (config/config.php)
{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "**removed**"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "overwrite.cli.url": "https:\/\/**removed**\/nextcloud",
    "dbtype": "mysql",
    "version": "14.0.4.2",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "htaccess.RewriteBase": "\/nextcloud",
    "overwritewebroot": "\/nextcloud",
    "theme": "",
    "loglevel": 2,
    "maintenance": false,
    "updater.release.channel": "stable",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpmode": "smtp",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "updater.secret": "***REMOVED SENSITIVE VALUE***"
}

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption:

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

Client configuration

Browser: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0

Operating system: Ubuntu 18.04

Logs

Browser log
Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.
Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src").
files:1:1
JQMIGRATE: Migrate is installed, version 1.4.0 core.js:7:542
window.controllers/Controllers is deprecated. Do not use it for UA detection. merged.js:2176 
Nextcloud log
N/A?
Browser log

Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.
Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src").
files:1:1
JQMIGRATE: Migrate is installed, version 1.4.0 core.js:7:542
window.controllers/Controllers is deprecated. Do not use it for UA detection. merged.js:2176

Metadata

Metadata

Assignees

No one assigned

    Labels

    0. Needs triagePending check for reproducibility or if it fits our roadmapbugneeds info

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions