CSP Configuration Issue

I have a server that is running OwnCloud 10.15.0.2. The server is running fine and there are no issues specifically with it’s functionality. However, a recent scan has listed a low level issue related to CSP that I am trying to resolve. I have uploaded a screenshot of this issue.

The CSP that is returned in the header is as follows:

content-security-policy: default-src ‘none’;manifest-src ‘self’;script-src ‘self’ ‘unsafe-eval’;style-src ‘self’ ‘unsafe-inline’;img-src ‘self’ data: blob:;font-src ‘self’;connect-src ‘self’;media-src ‘self’

From what I have found, there is no direct way to update this from within the application and the CSP header is generated dynamically within the application itself. I have tried to resolve this by configuring nginx on the server to hide the CSP generated by the application and then adding the CSP that I wanted. I used this in the nginx config:

fastcgi_hide_header Content-Security-Policy;
add_header Content-Security-Policy “base-uri ‘self’;default-src ‘none’;manifest-src ‘self’;script-src https://files.trilogy-consulting.com ‘unsafe-eval’;style-src ‘self’ ‘unsafe-inline’;img-src ‘self’ data: blob:;font-src ‘self’;connect-src ‘self’;media-src ‘self’; object-src ‘none’” always;

That did make it so the CSP I was generating was the one displayed in the headers. However, this config had some issues and removed the configuration. I have 2 questions that I hope someone can answer:

  1. Am I correct that there is no way within the application to update the sites CSP, even with some third party plugin?

  2. If the CSP can be edited either via nginx or some application method, Is there a way to configure CSP so that it will resolve the issues shown in the uploaded attachment without breaking the site?

We are still having this issue. Anyone have experience updating CSP on owncloud?

I suspect that you are on a fool’s errand, but I wish you luck.