Score:0

JSXC refused to connect because Cross domain request is not possible as it does not appear in the connect-src directive of the CSP

eg flag

I am trying to use Nextcloud's JSXC app (running under nextcloud.example.com) with Prosody (running under xmpp.example.com). However, the BOSH server (https://xmpp.example.com:5281/http-bind) keeps returning this error whenever I insert it into my nextcloud configuration:

Cross domain request was not possible. Either your BOSH server does not send any Access-Control-Allow-Origin header or the content-security-policy (CSP) blocks your request. The safest way is still to use Apache ProxyRequest or Nginx proxy_pass.

Within my browser's (Safari) console, I'm getting this message:

refused to connect to https://xmpp.example.com:5281/http-bind%20[P,L] because it does not appear in the connect-src directive of the Content Security Policy.

Both Prosody and Nextcloud have been running on the same server using apache 2.2 . I've been working within the prosody xmpp chatroom to try and fix this and so far, they have been saying my Apache config files are off, here is my nextcloud:


<VirtualHost *:443>
    ### YOUR SERVER ADDRESS ###


    ServerAdmin [email protected]
    ServerName nextcloud.example.com

    ### SETTINGS ###
    <FilesMatch "\.php$">
        SetHandler "proxy:unix:/run/php/php8.1-fpm.nextcloud.sock|fcgi://localhost"
    </FilesMatch>

    # Intermediate configuration
    Header add Strict-Transport-Security: "max-age=15552000;includeSubdomains"
    SSLEngine               on
    SSLCompression          off
    SSLProtocol             -all +TLSv1.2 +TLSv1.3
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 
    SSLHonorCipherOrder     off
    SSLSessionTickets       off
    ServerSignature         off

    # Logs
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel alert rewrite:trace6

    DocumentRoot /var/www/nextcloud

    <Directory /var/www/nextcloud>
        Options Indexes FollowSymLinks
        AllowOverride None
        ### include all .htaccess
        Include /var/www/nextcloud/.htaccess
        Include /var/www/nextcloud/config/.htaccess
        Include /mnt/ncdata/.htaccess
        ###
        Require all granted
        Satisfy Any
    </Directory>

    <IfModule mod_dav.c>
        Dav off
    </IfModule>

    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud

    # The following lines prevent .htaccess and .htpasswd files from being
    # viewed by Web clients.
    <Files ".ht*">
        Require all denied
    </Files>

    # Disable HTTP TRACE method.
    TraceEnable off
    # Disable HTTP TRACK method.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACK
    RewriteRule .* - [R=405,L]
 RewriteRule ^/http-bind$ https://xmpp.example.com:5281/http-bind [P,L]

    # Avoid "Sabre\DAV\Exception\BadRequest: expected filesize XXXX got XXXX"
    <IfModule mod_reqtimeout.c>
        RequestReadTimeout body=0
    </IfModule>

    ### LOCATION OF CERT FILES ###

    SSLCertificateChainFile /etc/letsencrypt/live/nextcloud.example.com/chain.pem
    SSLCertificateFile /etc/letsencrypt/live/nextcloud.example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.example.com/privkey.pem
    SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/nextcloud.example.com/dhparam.pem


</VirtualHost>

### EXTRAS ###
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
SetEnv proxy-sendcl 1

My prosody:

<VirtualHost *:80>        
        ServerName xmpp.example.com

        DocumentRoot /var/www/prosody
        
RewriteEngine on
RewriteRule /http-bind$ https://xmpp.example.com:5281/http-bind [P,L]

</VirtualHost>

And the Prosody config that lets encrypt made:


<VirtualHost *:443>
    ### YOUR SERVER ADDRESS ###


    ServerAdmin [email protected]
    ServerName nextcloud.example.com

    ### SETTINGS ###
    <FilesMatch "\.php$">
        SetHandler "proxy:unix:/run/php/php8.1-fpm.nextcloud.sock|fcgi://localhost"
    </FilesMatch>

    # Intermediate configuration
    Header add Strict-Transport-Security: "max-age=15552000;includeSubdomains"
    SSLEngine               on
    SSLCompression          off
    SSLProtocol             -all +TLSv1.2 +TLSv1.3
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 
    SSLHonorCipherOrder     off
    SSLSessionTickets       off
    ServerSignature         off

    # Logs
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel alert rewrite:trace6

    DocumentRoot /var/www/nextcloud

    <Directory /var/www/nextcloud>
        Options Indexes FollowSymLinks
        AllowOverride None
        ### include all .htaccess
        Include /var/www/nextcloud/.htaccess
        Include /var/www/nextcloud/config/.htaccess
        Include /mnt/ncdata/.htaccess
        ###
        Require all granted
        Satisfy Any
    </Directory>

    <IfModule mod_dav.c>
        Dav off
    </IfModule>

    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud

    # The following lines prevent .htaccess and .htpasswd files from being
    # viewed by Web clients.
    <Files ".ht*">
        Require all denied
    </Files>

    # Disable HTTP TRACE method.
    TraceEnable off
    # Disable HTTP TRACK method.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACK
    RewriteRule .* - [R=405,L]
 RewriteRule ^/http-bind$ https://xmpp.example.com:5281/http-bind [P,L]

    # Avoid "Sabre\DAV\Exception\BadRequest: expected filesize XXXX got XXXX"
    <IfModule mod_reqtimeout.c>
        RequestReadTimeout body=0
    </IfModule>

    ### LOCATION OF CERT FILES ###

    SSLCertificateChainFile /etc/letsencrypt/live/nextcloud.example.com/chain.pem
    SSLCertificateFile /etc/letsencrypt/live/nextcloud.example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.example.com/privkey.pem
    SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/nextcloud.example.com/dhparam.pem


</VirtualHost>

### EXTRAS ###
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
SetEnv proxy-sendcl 1
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.