text icon indicating copy to clipboard operation
text copied to clipboard
verified publisher icon nextcloud

Content Security Policy of your site blocks the use of 'eval' in JavaScript`

Open solracsf opened this issue 4 years ago • 3 comments

Error reported by Brave browser.

Source code Directive Status
/apps/text/js/files.js:6 script-src blocked

solracsf avatar Feb 08 '21 17:02 solracsf

I've seen this same error with Nextcloud 22 RC2 and Android 8 + FF Mobile 89

Sentry CSP report

{
  "csp-report": {
    "effective_directive": "script-src",
    "blocked_uri": "eval",
    "document_uri": "https://cloud.domain.tld/apps/files/?dir=/Somethiing&openfile=449597",
    "original_policy": "default-src 'none'; base-uri 'none'; manifest-src 'self'; script-src 'nonce-XXXXXXXXXXXXXX'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.tile.openstreetmap.org; font-src 'self' data:; connect-src 'self' https://sentry.io https://stun.nextcloud:443 wss://s4.nextcloud.com; media-src 'self'; frame-src 'self'; frame-ancestors 'self'; worker-src 'self' blob:; form-action 'self'; report-uri https://sentry.io/api/2343/security/?sentry_key=YYYYYYYYYYY",
    "referrer": "",
    "violated_directive": "script-src",
    "source_file": "https://cloud.domain.tld/apps/text/js/files.js?v=3051731f-24",
    "line_number": 1,
    "column_number": 14856
  }
}

ChristophWurst avatar Jul 02 '21 08:07 ChristophWurst

Will check, the column_number looks at least similar to what is mentioned here:

https://github.com/webpack/webpack/issues/5627 https://github.com/webpack/webpack/blob/fb8afe71385734cfd65f47949117306a91f20753/buildin/global.js#L10

juliusknorr avatar Jul 02 '21 08:07 juliusknorr

I got the same error in Brave browser with NC 22.2.6

eval-error

Jolopu avatar Apr 05 '22 15:04 Jolopu

We can not reproduce this error anymore, looks solved in newer versions.

vinicius73 avatar Oct 18 '22 19:10 vinicius73