Bookmarks page blank due to CSP

[codywarmbo]

Steps to reproduce

1. Install Bookmarks app
2. Try to load Bookmarks
3. Blank page

Expected behaviour

Bookmarks should load and be displayed

Actual behaviour

Page stays blank and Firefox console shows errors relating to Content-Security-Policy.

Error: call to Function() blocked by CSP
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).

Both are tied to main.bundle.js.

Server configuration

Operating system: Ubuntu 16.04

Web server: Apache

Database:

PHP version:

Nextcloud version: 15.0 rc2

Bookmarks version: 0.14.2

Updated from an older Nextcloud or fresh install: Fresh install

Signing status:

[marcelklehr]

Ah, here we go. nextcloud/server#11045

[codywarmbo]

Thanks for the response. Is there any suggestions for what I can do to alleviate this issue in Nextcloud? For now I am using a separate browser with CSP disabled entirely but that's not very safe.

[marcelklehr]

You could try to hack your way around the nextcloud CSP rules somehow (i.e. prevent the server from sending those headers), or you could roll back to nextcloud v14.

In any case you'll have to wait until there's a fix for the bookmarks app, for compatibility with nextcloud v15.

Note to self:

This appears to be a relatively simple fix: https://security.stackexchange.com/questions/88610/problem-in-underscore-js-with-new-function-when-csp-header-is-set

Precompilation would also be an option: https://lodash.com/custom-builds

[codywarmbo]

Alright, seems outside my scope of knowledge and nothing important is affected so I'll bide my time happily. :) Thanks again!