From 041a0ee18d1d8bd8515e7f1a0b8f8e389b7794c9 Mon Sep 17 00:00:00 2001 From: Jimmy Monin Date: Mon, 7 Aug 2017 22:00:27 +0200 Subject: [PATCH] Disable CSPv3 nonces and allow YunoHost fonts data Problems: - Due to some unknown problem in the interaction between SSOwat and Nextcloud server authentication, CSP nonces are wrong when you log into Nextcloud from YunoHost portal for the first time (systematically reproduced in a browser private session). The Nextcloud page is hence almost totally blank and you have to refresh the page or click on the Nextcloud logo. - Due to CSP protection, the YunoHost tile (inline Javascript) is blocked Solution: While it's not a totally satisfying solution, a somewhat acceptable workaround to these two problems is to: - block CSP v3 features (hence nonces), but still allowing CSP v2 features - allow for "data:" font sources (needed to load YunoHost tile fonts) This is done via patching Nextcloud sources: - `ContentSecurityPolicyNonceManager`: disable the CSPv3 browser compatibility detection (return false in every case) - `EmptyContentSecurityPolicy`: add the "data:" argument in `font-src` default CSP rule. --- ...able-CSPv3-nonce_and_allow-YNH-fonts.patch | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 patches/01-disable-CSPv3-nonce_and_allow-YNH-fonts.patch diff --git a/patches/01-disable-CSPv3-nonce_and_allow-YNH-fonts.patch b/patches/01-disable-CSPv3-nonce_and_allow-YNH-fonts.patch new file mode 100644 index 0000000..eba7c0c --- /dev/null +++ b/patches/01-disable-CSPv3-nonce_and_allow-YNH-fonts.patch @@ -0,0 +1,33 @@ + lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php | 4 ++++ + lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php | 3 ++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php +index 85ae127f5f..91618a09fc 100644 +--- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php ++++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php +@@ -65,6 +65,10 @@ class ContentSecurityPolicyNonceManager { + * @return bool + */ + public function browserSupportsCspV3() { ++ // YunoHost patch: disable CSPv3 nonces to: ++ // - avoid white page on first login from YunoHost portal ++ // - allow YunoHost tile display ++ return false; + $browserWhitelist = [ + Request::USER_AGENT_CHROME, + // Firefox 45+ +diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +index 64d4eb6e5d..59d5885620 100644 +--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php ++++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +@@ -377,7 +377,8 @@ class EmptyContentSecurityPolicy { + + if(!empty($this->allowedFontDomains)) { + $policy .= 'font-src ' . implode(' ', $this->allowedFontDomains); +- $policy .= ';'; ++ // YunoHost patch: extend font-src to load data fonts embedded in YunoHost tile script ++ $policy .= ' data:;'; + } + + if(!empty($this->allowedConnectDomains)) {