How to correctly set CSP?

help

#1

I'm running oC 9.1 on a Debian server with Nginx, and try to modify various security settings, such as CSP, so https://observatory.mozilla.org is happy.

I set CSP headers using Nginx:
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' https:" always;

But fetching login page headers shows:
Content-Security-Policy:default-src 'self' 'unsafe-inline' https: # what I set in Nginx
Content-Security-Policy:default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self' # what is set elsewhere, where?

Obviously I don't want 2 lines, just the first one. But where does the second comes from?
I've grep'd all oC installed code and nothing relevant showed up. Am I missing something?


#2

Hi,

why are you messing around with the CSP? Just let ownCloud set the correct CSP (which oC is doing right) and you won't have this issue.


#3

Hi,

Because I like to inspect how things work :slight_smile:
I'm not saying oC did not set CSP correcly, it seems indeed correct. But I'm curious how it is set.


#4

Hi,

if you grep through the code of ownCloud you will find the location where this is set:


#5

Patching random places in code is problematic. See this gist for an example showing how apps can add custom Content Security Policies: https://gist.github.com/butonic/4e6d050b778866e3aa99af14d9474613

Also see the initial PR: https://github.com/owncloud/core/pull/21989#issue-129480520