I have a server that is running OwnCloud 10.15.0.2. The server is running fine and there are no issues specifically with it’s functionality. However, a recent scan has listed a low level issue related to CSP that I am trying to resolve. I have uploaded a screenshot of this issue.
The CSP that is returned in the header is as follows:
content-security-policy: default-src ‘none’;manifest-src ‘self’;script-src ‘self’ ‘unsafe-eval’;style-src ‘self’ ‘unsafe-inline’;img-src ‘self’ data: blob:;font-src ‘self’;connect-src ‘self’;media-src ‘self’
From what I have found, there is no direct way to update this from within the application and the CSP header is generated dynamically within the application itself. I have tried to resolve this by configuring nginx on the server to hide the CSP generated by the application and then adding the CSP that I wanted. I used this in the nginx config:
fastcgi_hide_header Content-Security-Policy;
add_header Content-Security-Policy “base-uri ‘self’;default-src ‘none’;manifest-src ‘self’;script-src https://files.trilogy-consulting.com ‘unsafe-eval’;style-src ‘self’ ‘unsafe-inline’;img-src ‘self’ data: blob:;font-src ‘self’;connect-src ‘self’;media-src ‘self’; object-src ‘none’” always;
That did make it so the CSP I was generating was the one displayed in the headers. However, this config had some issues and removed the configuration. I have 2 questions that I hope someone can answer:
-
Am I correct that there is no way within the application to update the sites CSP, even with some third party plugin?
-
If the CSP can be edited either via nginx or some application method, Is there a way to configure CSP so that it will resolve the issues shown in the uploaded attachment without breaking the site?