2

This is a recent persistent issue I'm unable to solve. The same solution was working just fine a year ago and I' unable to rectify it as the solution has a number of components/blocks. Not sure where is the problem exaclty. Basically the browsers is producing the following error

Refused to send form data to 'https://login.XXXX.com.au/' 
because it violates the following Content Security Policy directive: 

https://cloud.XXXX.com.au/login/flow/grant?stateToken=XXX&clientIdentifier=XXX&oauthState=XXX

"form-action 'self' https://app.XXXX.com.au/".

I have a docker system made of nextcloud, voucher and some protected web App. The issue is experinced when attempting to Grant access to the browser(user) to access the protected App.

1- Acces protected App (app.xxxx.com.au)

2- Reverse proxy figures out un-authorized and forward to login (voucher) via nextground (OAuth2.0 provider)

3- Nextcloud prompts to login then to Grant. But its hangs there and keeps spinning... thats when I notice the error

The site looks somethig like this: enter image description here

So there is voucher for SSO/AOuth2.0 and nextcloud acting as OAuth2.0 authentication server. Like I said the entire system was working fine and only recently started experiencing this issue.

  • app.XXX : Protected App
  • login.XXX : Voucher
  • cloud.XXX : Nextcloud

All are sub-domains of the same domain.

I will post the nginx configs for the different servers but I'm hoping someone could help me by identifying the problematic block.

Network Error captured via Chrome:

Request URL: https://cloud.XXXX.com.au/login/flow
Request Method: POST
Status Code: 403 
Remote Address: xxx.xxx.xxx.xxx:443
Referrer Policy: no-referrer
cache-control: no-cache, no-store, must-revalidate
content-encoding: gzip
content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-TTFXU2lkVDNzWXBLeHFiYVVMU2FpaTJ1Ni9Qc3FBd3FmYnZiVWR2Qis4WT06VVMvUnk1V2gyZjBybGNtQUt2SDV4a2VlMjZmZTNWUmhNKzJMQXFtZ29aVT0=';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src 'self';frame-ancestors 'self';worker-src 'self' blob:;form-action 'self'
content-type: text/html; charset=UTF-8
date: Sat, 08 May 2021 05:10:28 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
feature-policy: autoplay 'self';camera 'none';fullscreen 'self';geolocation 'none';microphone 'none';payment 'none'
pragma: no-cache
referrer-policy: no-referrer
server: nginx/1.18.0
vary: Accept-Encoding
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-robots-tag: none
x-xss-protection: 1; mode=block
:authority: cloud.XXXX.com.au
:method: POST
:path: /login/flow
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,ar;q=0.8
cache-control: max-age=0
content-length: 314
content-type: application/x-www-form-urlencoded
cookie: oc_sessionPassphrase=7nyA960K5Qi05UrXfJYbR7PqDN3geuod0t4iU9PexX7zoTUC%2FWBUriUSzNvSc4nRF%2FIioMauYPhKcbWKe0lVoszQOu40E6T0gScCAewwjpKfY27VGNgPe%2Bw1Pi%2B1Ywb; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocyemq0ytbyv=2f27c5dc0a0aa041c31a626f7cd7966; ocpbh7t5ok9f=862ea031f3cad982ab176d58339f31e; ocmgpyyzx1bo=53201edd9ea33fcacc23103beb239f1; oc9u3zbg71na=4d6196dec8d018ce3cd340c42690003d; occ1jd68d7w4=6148c32daf9a66436e04fd85f1c13db0; ocjskrd6qpes=b846ae4a2342369a3b70edb4732e4810; ocjex7dsuhmn=f91560cac805f8151e86dd6b0112038; ocxuav81gicz=1974b7d3c5e13b21b995548dfecedf4; oc3vwbfqyogc=5277ea00dc070baa4de1dc24f17777d6; nc_username=yahya; ocvazuerhy2n=7544fb3699510e35b6506c9297a9194b; ocwhuhvrqpl4=5c1325ee29c8f9cc0777b76d5474f4a8; oc0n8vxf7sof=9a7670a3dad92972fa206690fb70930c; ocrps8rnsaow=8029688e78239ded5d87aba21228e1ed; nc_token=oSp85oZHHbLBlnYVDwJ4J%2F66RaZVF%2BN; nc_session_id=8029688e78239ded5d87aa21228e1ed
origin: null
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
sec-ch-ua-mobile: ?0
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
clientIdentifier: So5JaKdYR8C4XclAfV4S2sMCefxDMhILnRHHAIeS4OxYZ43i6V4JMn2yG98CbhMB
requesttoken: BvHgl+jWzcGh5aGfUVE7KzkY9Ao+UccTGJujeZPOhCk=:ZIuj1amApbbAts7FKxRYZ1MoxF4MJJ9YVs3zKuGv3no=
stateToken: z8c9imJFbiQ13LjKtfKtF24dmor43bY247lMymgKGNHnVxFH9maEpfujINLvC8yK
oauthState: rk8bHsF7VaQeYG8n143RWt4oXXFG7BF2
Yaya
  • 21
  • 1
  • 6
  • You send form data to `https://login.XXXX.com.au/` which is not allowed in the `form-action` directive. Use `form-action 'self' https://*.XXXX.com.au/` (if all subdomains are trusted) or `form-action 'self' https://app.XXXX.com.au/ https://login.XXXX.com.au` – granty May 07 '21 at 13:20
  • Thanks granty for taking the time. Where would I add the `add_header Content-Security-Policy "form-action 'self' https://*.XXXX.com.au";` under which server/location scope in nginx? – Yaya May 07 '21 at 16:15
  • Since browsers is producing the error `Refused to send form data to ... form-action 'self' https://app.XXXX.com.au/`, you already publishes CSP somewhere. You need to add the `https://login.XXXX.com.au` source into this CSP, do not create another one. Multiple CSPs will work not as you expect. – granty May 07 '21 at 16:28
  • Btw, Im using 'linuxserver/swag' for the reverse-proxy. I checked all configurations `grep -rIH 'Content-Security-Policy' --include \*.* reverse-proxy/config/nginx/ssl.conf:#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'"; reverse-proxy/nginx-ssl.conf: #add_header Content-Security-Policy "form-action 'self' https://*.XXXX.com.au"; reverse-proxy/nginx-ssl.conf: #add_header Content-Security-Policy "form-action 'self' https://*.XXXX.com.au";` all CSP are commented out. – Yaya May 07 '21 at 16:46
  • This just means your web app publush CSP in other way. CSP in Nginx config is published only in elementary cases. Have a look at Nextcloud's [class](https://github.com/nextcloud/server/blob/c259c95f646c0282d46c87fdec9e860f8373d23f/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#L29) for CSP managing, how do you implement such logic with Nginx config? Only developers know where in your architecture headers are published. You may have installed specialized plugins or middleware to manage the CSP. – granty May 08 '21 at 03:57
  • See above, I included chrome network error message together with request headers and so on. I think you are right. this is definitley not from nginx must be coming from nextcloud as you pointed out. This behaviour was not present in older releases of nextcloud. There must be a way I can pass the trusted action-form domains to nextcloud enviornment through the docker compose script or elsewhere. Header is clearly `;form-action 'self'`. my setup is nextcloud<->nginx1<->nginx2. – Yaya May 08 '21 at 05:41
  • nginx1 config is something like this https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf – Yaya May 08 '21 at 05:41
  • I haven't expirience with Nextcloud manage, but there is a [csp_editor](https://framagit.org/framasoft/nextcloud/csp_editor) to edit Nextcloud's default CSP policy (I failed to find it at the github.com), maybe it can help. Alternatively, you can search PHP files for the `content-security-policy` and 'feature-policy' strings. You should have a possibility to manage both of these headers. – granty May 08 '21 at 06:02
  • Hey Grant, this guy is confirming what you are saying https://help.nextcloud.com/t/solved-referrer-policy-and-content-security-policy-broken-on-nginx-only-setup/49212/6 so definitely nextcloud issue. – Yaya May 08 '21 at 08:31
  • @granty 's advice together with this post https://help.nextcloud.com/t/header-modification-add-google-search-more-than-8-apps-smaller-text/94985/8 helped me solve the CSP problem but now I'm stuck with infinite login prompts. – Yaya May 08 '21 at 09:42

1 Answers1

0

@granty's advice together with this post https://help.nextcloud.com/t/header-modification-add-google-search-more-than-8-apps-smaller-text/94985/8 helped me solve the CSP problem. Basically I didnt need to add any CSP in my reverse proxy or any of the nginx servers. All I have to do is to edit the stock ContentSecurityPolicy.php and add the login.xxxx.com.au domain to permit it to submit form-action.

This is the code I had to update: File located at: /var/www/html/lib/public/AppFramework/Http/ContentSecurityPolicy.php

/** @var array Domains which can be used as target for forms */
        protected $allowedFormActionDomains = [
                '\'self\'','login.XXXX.com.au',
        ];

See this post: https://help.nextcloud.com/t/header-modification-add-google-search-more-than-8-apps-smaller-text/94985/7

Yaya
  • 21
  • 1
  • 6