拒绝向 'domain' 发送表单数据,因为它违反了以下内容安全策略指令

Refused to send form data to 'domain' because it violates the following Content Security Policy directive

这是我最近一直无法解决的问题。同样的解决方案在一年前工作得很好,我无法纠正它,因为该解决方案有很多 components/blocks。不确定问题出在哪里。 基本上浏览器会产生以下错误

Refused to send form data to 'https://login.XXXX.com.au/' 
because it violates the following Content Security Policy directive: 

https://cloud.XXXX.com.au/login/flow/grant?stateToken=XXX&clientIdentifier=XXX&oauthState=XXX

"form-action 'self' https://app.XXXX.com.au/".

我有一个 docker 系统,由 nextcloud、优惠券和一些受保护的网络应用程序组成。 尝试向浏览器(用户)授予访问权限以访问受保护的应用程序时遇到此问题。

1- 访问受保护的应用程序 (app.xxxx.com.au)

2- 反向代理计算出未授权并通过 nextground(OAuth2.0 提供商)转发到登录(凭证)

3- Nextcloud 提示登录然后授予。但是它挂在那里并一直在旋转...那是我注意到错误的时候

网站看起来像这样: enter image description here

所以有 SSO/AOuth2.0 和 nextcloud 作为 OAuth2.0 认证服务器的凭证。 就像我说的,整个系统运行良好,只是最近才开始遇到这个问题。

都是同一域的子域。

我会 post 不同服务器的 nginx 配置,但我希望有人可以通过识别有问题的块来帮助我。

通过Chrome捕获的网络错误:

Request URL: https://cloud.XXXX.com.au/login/flow
Request Method: POST
Status Code: 403 
Remote Address: xxx.xxx.xxx.xxx:443
Referrer Policy: no-referrer
cache-control: no-cache, no-store, must-revalidate
content-encoding: gzip
content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-TTFXU2lkVDNzWXBLeHFiYVVMU2FpaTJ1Ni9Qc3FBd3FmYnZiVWR2Qis4WT06VVMvUnk1V2gyZjBybGNtQUt2SDV4a2VlMjZmZTNWUmhNKzJMQXFtZ29aVT0=';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src 'self';frame-ancestors 'self';worker-src 'self' blob:;form-action 'self'
content-type: text/html; charset=UTF-8
date: Sat, 08 May 2021 05:10:28 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
feature-policy: autoplay 'self';camera 'none';fullscreen 'self';geolocation 'none';microphone 'none';payment 'none'
pragma: no-cache
referrer-policy: no-referrer
server: nginx/1.18.0
vary: Accept-Encoding
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-robots-tag: none
x-xss-protection: 1; mode=block
:authority: cloud.XXXX.com.au
:method: POST
:path: /login/flow
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,ar;q=0.8
cache-control: max-age=0
content-length: 314
content-type: application/x-www-form-urlencoded
cookie: oc_sessionPassphrase=7nyA960K5Qi05UrXfJYbR7PqDN3geuod0t4iU9PexX7zoTUC%2FWBUriUSzNvSc4nRF%2FIioMauYPhKcbWKe0lVoszQOu40E6T0gScCAewwjpKfY27VGNgPe%2Bw1Pi%2B1Ywb; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocyemq0ytbyv=2f27c5dc0a0aa041c31a626f7cd7966; ocpbh7t5ok9f=862ea031f3cad982ab176d58339f31e; ocmgpyyzx1bo=53201edd9ea33fcacc23103beb239f1; oc9u3zbg71na=4d6196dec8d018ce3cd340c42690003d; occ1jd68d7w4=6148c32daf9a66436e04fd85f1c13db0; ocjskrd6qpes=b846ae4a2342369a3b70edb4732e4810; ocjex7dsuhmn=f91560cac805f8151e86dd6b0112038; ocxuav81gicz=1974b7d3c5e13b21b995548dfecedf4; oc3vwbfqyogc=5277ea00dc070baa4de1dc24f17777d6; nc_username=yahya; ocvazuerhy2n=7544fb3699510e35b6506c9297a9194b; ocwhuhvrqpl4=5c1325ee29c8f9cc0777b76d5474f4a8; oc0n8vxf7sof=9a7670a3dad92972fa206690fb70930c; ocrps8rnsaow=8029688e78239ded5d87aba21228e1ed; nc_token=oSp85oZHHbLBlnYVDwJ4J%2F66RaZVF%2BN; nc_session_id=8029688e78239ded5d87aa21228e1ed
origin: null
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
sec-ch-ua-mobile: ?0
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
clientIdentifier: So5JaKdYR8C4XclAfV4S2sMCefxDMhILnRHHAIeS4OxYZ43i6V4JMn2yG98CbhMB
requesttoken: BvHgl+jWzcGh5aGfUVE7KzkY9Ao+UccTGJujeZPOhCk=:ZIuj1amApbbAts7FKxRYZ1MoxF4MJJ9YVs3zKuGv3no=
stateToken: z8c9imJFbiQ13LjKtfKtF24dmor43bY247lMymgKGNHnVxFH9maEpfujINLvC8yK
oauthState: rk8bHsF7VaQeYG8n143RWt4oXXFG7BF2

@granty 的建议连同这个 post https://help.nextcloud.com/t/header-modification-add-google-search-more-than-8-apps-smaller-text/94985/8 帮助我解决了 CSP 问题。 基本上我不需要在我的反向代理或任何 nginx 服务器中添加任何 CSP。 我所要做的就是编辑股票 ContentSecurityPolicy.php 并添加 login.xxxx.com.au 域以允许它提交表单操作。

这是我必须更新的代码: 文件位于:/var/www/html/lib/public/AppFramework/Http/ContentSecurityPolicy.php

/** @var array Domains which can be used as target for forms */
        protected $allowedFormActionDomains = [
                '\'self\'','login.XXXX.com.au',
        ];

看到这个post:https://help.nextcloud.com/t/header-modification-add-google-search-more-than-8-apps-smaller-text/94985/7