CSP was not changed even if ContentSecurityPolicy.php changed

Hello experts,

I need to add a new domain name to the CSP scripts allowed site, I found OC\lib\Public\AppFramework\Http\ContentSecurityPolicy.php handle this issue(maybe?), I changed the following lines to add my domain name, but even if I restart my OC server, no result.

class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
/** @var bool Whether inline JS snippets are allowed /
protected $inlineScriptAllowed = false;
/
*
* @var bool Whether eval in JS scripts is allowed
* TODO: Disallow per default
* @link
/
protected $evalScriptAllowed = true;
/
* @var array Domains from which scripts can get loaded /
protected $allowedScriptDomains = [
‘'self'’,
‘XYZ’,
];
/
*

I am trying to setup OC with Onlyoffice on my QNAP NAS, OC use the domain ABC, Onlyoffice use domain XYZ.Either OC or Onlyoffice works perfect individually.

But after inegration, I got the following error message:ONLYOFFICE cannot be reached. Please contact admin, and via Chrom console “Refused to load the script ‘XYZ/web-apps/apps/api/documents/api.js’ because it violates the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.”

If I disabled CSP within Chrome browser, it works perfect. I learnt that from v8.1 csp was not stricted, and users cannot change. but how can I handle this issue

My environment was QNAP NAS with built in owncloud version 10.10.0 (stable)

If you are able to edit your post, would you be so kind as to place three backticks (```) on the line preceding and the line following your code sample?

```
Your code sample here
```

Your code sample here
1 Like

Hey,

i don’t think that you should modify any source code of ownCloud as i think this could cause an unexpected behavior :frowning:

This looks to me like a long outdated version of ownCloud which has been released nearly two years ago ( 2022-05-16). Maybe if you update to the more recent ownCloud version 10.13.4 this change / modification is not required at all?

Hello LinkP, what I added is the dns name(in this thread ‘XYZ’) for my onlyoffice in ContentSecurityPolicy.php

‘XYZ’,

Hello tom42, the latest owncloud version for QNAP device is 10.10.0

Changing library code is IMHO clearly the wrong way, so I’m not really surprised that it doesn’t work.
Consider doing it in the page controller of your integration app.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.