Hi Guilhem, On 23/03/2019 00:44, Guilhem Moulin wrote: > On Fri, 22 Mar 2019 at 22:32:02 +0100, William Gathoye wrote: >> It appears the location of these fonts haven't been whitelisted properly >> leading to the Nextcloud client webview (qt5-webengine) to not load them >> to avoid a potential XSS vulnerability. > The CSP violation looks somewhat odd to me: > > > I don't understand why your client tries apply that policy when loading > resources from https://auth.documentfoundation.org . There is a 303 > redirection in the middle, and the CSP doesn't apply to the Location > target.
Weird is indeed what I thought. I had hoped you had the solution though :-/ My client is the latest version published by Nextcloud on GitHub. (not the one on their website, they are always lagging behind there). > That's rdm#2658 right? If so, please avoid cross-posting. Yes it is. But i think this is better to discuss things here as the issue is less a bug to me but rather an open discussion which could lead to a bug report or not. "Always privilege mailing lists when you can", this is what has been said to me :) >> Could you please disable "Use SAML auth for the Nextcloud desktop >> clients (requires user re-authentication)" in the Nextcloud server admin >> settings? SAML SSO remains active without this parameter. > From https://github.com/nextcloud/user_saml/blob/master/appinfo/app.php#L124 > it's not exactly clear to me what that would entail. > > * Does that require authentication via application-specific passwords? According to the answers we can read on the Nextcloud bug report and forums (the links I gave to you), it appears changing the settings hasn't required changes in the way users where connecting. But again their use case is not the one from TDF, this is why I was thinking to have some sort of sandbox. Do you think this would be possible to clone the current Nextcloud + saml config somewhere and try to debug from there? I don't know if this is possible. I assume TDF has enough resources and that 2 additional VM (SAML+Nextcloud) won't cause any burden to the infra. If that's the case I could offer infra/computation/storage power. > * Does it mean that the Nextcloud server hijacks the SAML challenge > and perform authentication on behalf of the user? I don't think there is some kind of hijacking here. I have the same opinion as you here. But this needs to be confirmed. Do you want me to post on the Nextcloud bug issue on Github and ask if some Nextcloud dev veteran can confirm this assumption? Regards, -- William Gathoye <[email protected]> -- To unsubscribe e-mail to: [email protected] Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.libreoffice.org/global/website/ Privacy Policy: https://www.documentfoundation.org/privacy
