CSP was not changed even if ContentSecurityPolicy.php changed

starworld · February 8, 2024, 6:30am

Hello experts,

I need to add a new domain name to the CSP scripts allowed site, I found OC\lib\Public\AppFramework\Http\ContentSecurityPolicy.php handle this issue(maybe?), I changed the following lines to add my domain name, but even if I restart my OC server, no result.

class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
/** @var bool Whether inline JS snippets are allowed /
protected $inlineScriptAllowed = false;
/*
* @var bool Whether eval in JS scripts is allowed
* TODO: Disallow per default
* @link
/
protected $evalScriptAllowed = true;
/* @var array Domains from which scripts can get loaded /
protected $allowedScriptDomains = [
‘'self'’,
‘XYZ’,
];
/*

I am trying to setup OC with Onlyoffice on my QNAP NAS， OC use the domain ABC, Onlyoffice use domain XYZ.Either OC or Onlyoffice works perfect individually.

But after inegration, I got the following error message:ONLYOFFICE cannot be reached. Please contact admin, and via Chrom console “Refused to load the script ‘XYZ/web-apps/apps/api/documents/api.js’ because it violates the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.”

If I disabled CSP within Chrome browser, it works perfect. I learnt that from v8.1 csp was not stricted, and users cannot change. but how can I handle this issue

My environment was QNAP NAS with built in owncloud version 10.10.0 (stable)

LinkP · February 8, 2024, 8:22am

If you are able to edit your post, would you be so kind as to place three backticks (```) on the line preceding and the line following your code sample?

```
Your code sample here
```

Your code sample here

tom42 · February 10, 2024, 6:22pm

Hey,

i don’t think that you should modify any source code of ownCloud as i think this could cause an unexpected behavior

This looks to me like a long outdated version of ownCloud which has been released nearly two years ago ( 2022-05-16). Maybe if you update to the more recent ownCloud version 10.13.4 this change / modification is not required at all?

starworld · February 15, 2024, 10:46am

Hello LinkP， what I added is the dns name(in this thread ‘XYZ’) for my onlyoffice in ContentSecurityPolicy.php

‘XYZ’,

starworld · February 15, 2024, 10:47am

Hello tom42, the latest owncloud version for QNAP device is 10.10.0

alfredb · February 20, 2024, 10:58pm

Changing library code is IMHO clearly the wrong way, so I’m not really surprised that it doesn’t work.
Consider doing it in the page controller of your integration app.

system · May 20, 2024, 10:58pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.