CSP issues (eval blocked)

jbhanks · Jun 25, 2024

A few years ago I posted about a similar issue to this, I am trying to move to the latest version and it has cropped up again, although slightly different.

I am again stuck just after Build Interface becomes checked in the loading screen (all modules).

In my Firefox console I see:

Content-Security-Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).

and also:

Content-Security-Policy: The page’s settings blocked the loading of a resource at https://cke4.ckeditor.com/ckeditor4-secure-version/versions.json?v=4.22.1%20(Standard) (“connect-src”). 2 ckeditor.js:343:295

In Chrome I see:

Failed to fetch a worker script.
...
ckeditor.js?ver=2024…1-1719295886266:343 Refused to connect to 'https://cke4.ckeditor.com/ckeditor4-secure-version/versions.json?v=4.22.1%20(Standard)' because it violates the following Content Security Policy directive: "connect-src 'self' blob: https://office.example.com https://dev.example.com wss://office.example.com".

ckeditor.js?ver=2024…1-1719295886266:343 Refused to connect to 'https://cke4.ckeditor.com/ckeditor4-secure-version/versions.json?v=4.22.1%20(Standard)' because it violates the following Content Security Policy directive: "connect-src 'self' https://office.example.com blob:
wss://office.example.com https://dev.example.com".

My nginx.conf is like this (I started out with the default simple configuration, then the advanced configuration, this is a hybrid of the two using things I thought might help):

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    set $main_domain "office.example.com";
    set $sandbox_domain "dev.example.com";
    set $api_domain "office.example.com";
    set $files_domain "office.example.com";

    set $allowed_origins "*";
    include mime.types;
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

    server_name office.example.com dev.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    # Speeds things up a little bit when resuming a session
    ssl_session_cache shared:MozSSL:10m;

    ssl_protocols TLSv1.2 TLSv1.3;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;


    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

    # replace with the IP address of your resolver
    resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 208.67.222.222 208.67.220.220;

    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Access-Control-Allow-Origin "${allowed_origins}";
    add_header Access-Control-Allow-Credentials true;
    # add_header X-Frame-Options "SAMEORIGIN";

    add_header Permissions-Policy interest-cohort=();

    add_header Cross-Origin-Resource-Policy cross-origin;
    add_header Cross-Origin-Embedder-Policy require-corp;

    # Insert the path to your CryptPad repository root here
    root /home/cryptpad/cryptpad;
    index index.html;
    error_page 404 /customize.dist/404.html;

        # any static assets loaded with "ver=" in their URL will be cached for a year
    if ($args ~ ver=) {
        set $cacheControl max-age=31536000;
    }
    if ($uri ~ ^(\/|.*\/|.*\.html)$) {
        set $cacheControl no-cache;
    }

    add_header Cache-Control $cacheControl;

    set $styleSrc   "'unsafe-inline' 'self' https://${main_domain}";

    set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}";

    set $fontSrc    "'self' data: https://${main_domain}";

    set $imgSrc     "'self' data: blob: https://${main_domain}";

    set $frameSrc   "'self' https://${sandbox_domain} blob:";

    set $mediaSrc   "blob:";

    set $childSrc   "https://${main_domain}";

    set $workerSrc  "'self'";

    set $scriptSrc  "'self' resource: https://${main_domain}";

    set $frameAncestors "'self' https://${main_domain}";

    set $unsafe 0;
    if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
    if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }

    if ($host != $sandbox_domain) { set $unsafe 0; }
    if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }

    if ($unsafe) {
        set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
    }

    add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";

    # Add support for .mjs files used by pdfjs
    types {
        application/javascript mjs;
    }


    location / {
        proxy_pass            http://localhost:3000;
        proxy_set_header      X-Real-IP $remote_addr;
        proxy_set_header      Host $host;
        proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size  150m;

        proxy_http_version    1.1;
        proxy_set_header      Upgrade $http_upgrade;
        proxy_set_header      Connection upgrade;
    }

    location ^~ /cryptpad_websocket {
        proxy_pass            http://localhost:3003;
        proxy_set_header      X-Real-IP $remote_addr;
        proxy_set_header      Host $host;
        proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_http_version    1.1;
        proxy_set_header      Upgrade $http_upgrade;
        proxy_set_header      Connection upgrade;
    }
}

Mathilde · Jun 25, 2024

jbhanks this is a hybrid of the two using things I thought might help)

Hello,

This won't help, if you're struggling with configuration issues you'll be better keeping things as simple as possible. Please use the default example.nginx.conf, which is well tested, simple and works without complications.

Then you'll be able to dig into your instance configuration issues if there are some.

jbhanks · Jun 25, 2024

Mathilde

Thanks. I actually had (mostly) started with that, except that I defined the SSL parameters elsewhere and differently:

 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_session_timeout 1d;
 ssl_prefer_server_ciphers on;
 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM;";
 ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off; # Requires nginx >= 1.5.9
 ssl_stapling on; # Requires nginx >= 1.3.7
 ssl_stapling_verify on; # Requires nginx => 1.3.7
 resolver 8.8.8.8 8.8.4.4 valid=300s;
 resolver_timeout 5s;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;
 # Add our strong Diffie-Hellman group
 ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
 ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
 ssl_dhparam /etc/letsencrypt/dhparams.pem;

The issue was resolved by turning off ssl_prefer_server_ciphers, like in the example. I have it turned on with my working instance of an older version, so I didn't expect it to be a problem.

ssl_prefer_server_ciphers off;

Mathilde · Jun 25, 2024

Curious, maybe some Nginx version changes handling things differently?

Anyway, glad to read that you got it working!