Composer: Add attachment from Files

[kesselb]

Steps to reproduce

1. Open the message composer
2. Click "Add attachment from Files"
3. Nothing ...

Expected behavior

The file picker opens to select a file

Actual behavior

Nothing ;)

Mail app version

main / stable4.1

Nextcloud version

main / stable30

Additional info

No response

[ChristophWurst]

My Nextcloud server master + Mail main works. The picker shows, the selection is applied. The only problem I can see is the lack of an mimetype image:

[GretaD]

My Nextcloud server master + Mail main works. The picker shows, the selection is applied. The only problem I can see is the lack of an mimetype image:

try with a pdf file, or a .eml

[GVodyanov]

Could you please help me reproduce this? I've tried with stable4.1 and tags/v.4.1.0-beta1 in mail, and 30.0.0 beta 3 in server, but I still have the modal

[ChristophWurst]

@GVodyanov compare the local environment with our production. You should see a network request to fetch the file picker chunk on both systems. However, on prod this leads to a CSP error.

09:29:51.575
IFRAME-RESIZER

Iframe-Resizer 5 is now available via the following two packages:

 * @iframe-resizer/parent
 * @iframe-resizer/child

Additionally their are also new versions of iframe-resizer for React, Vue, and jQuery.

Version 5 of iframe-resizer has been extensively rewritten to use modern browser APIs, which has enabled significantly better performance and greater accuracy in the detection of content resizing events.

Please see https://iframe-resizer.com/upgrade for more details.
09:29:51.586 Content-Security-Policy: The page’s settings blocked a JavaScript eval (script-src) from being executed because it violates the following directive: “script-src 'nonce-FCV3lCbeAWAn3MH23p852zDXg4K2WvNqoF0rVL2BXbQ=' blob:” (Missing 'unsafe-eval') mail-main.mjs:8910:68484

^ I wonder why the iframe message pops up when the file picker chunk is loaded.

^ that seems to be the unsafe eval.

[ChristophWurst]

Could you please help me reproduce this? I've tried with stable4.1 and tags/v.4.1.0-beta1 in mail, and 30.0.0 beta 3 in server, but I still have the modal

Try npm build instead of npm run dev or npm run watch. It could also be a development vs production build difference.

[ChristophWurst]

This problem smells related to Vite and reminds me of #10405.

Edit: could be related to vitejs/vite@97bf2f0 and that the fallback is only needed sometimes. That sometimes are the effected installations.
The Text app contains Function("return this") too in a few bundles:

js/NcNoteCard-C6xb7vi0-NMk6-oX1.chunk.mjs
js/cytoscape.esm-U6no2_hj.chunk.mjs
js/mermaid.core-BGtIcDby.chunk.mjs
js/Editor-B2j11CRA.chunk.mjs
js/_plugin-vue2_normalizer-BX5lne15.chunk.mjs

[GVodyanov]

Could you please help me reproduce this? I've tried with stable4.1 and tags/v.4.1.0-beta1 in mail, and 30.0.0 beta 3 in server, but I still have the modal

Try npm build instead of npm run dev or npm run watch. It could also be a development vs production build difference.

Doesn't seem to make a difference on either of those versions

[GVodyanov]

So @kesselb was able to reproduce this with server main and mail main too, however I wasn't able to do so with any combination of versions (server main, mail 4.1, server 30 mail main, server 30 mail 4.1, so on). He is also using npm run dev so that shouldn't make a difference. I also tried changing vite versions, tried 5.4.11 and 5.4.10, still can't reproduce.

Another thing we tested was the node version (seeing as I had 22 and him 20) but he was still able to reproduce it on 22.

Daniel also tried disabling chunking in vite, still doesn't show.

Disabling CSP also doesn't fix it.

[ChristophWurst]

Disabling CSP also doesn't fix it.

So for you it was not the CSP eval error I ran into?

[GVodyanov]

Disabling CSP also doesn't fix it.

So for you it was not the CSP eval error I ran into?

@kesselb It was slightly different, right? Also when disabling CSP there was a different error if I remember correctly

[kesselb]

The filepicker is broken for me on stable4.1.

1. Mail 4.1.0-beta.2 on c.nc.c

Content-Security-Policy: The page’s settings blocked a JavaScript eval (script-src) from being executed because it violates the following directive: “script-src 'nonce-Kpt9Qi0DfShpNZVEJPSOLuSwZdf6225XEXr1DxwU8v4=' blob:” (Missing 'unsafe-eval')

2. 3c306b2 on localhost. I'm using the hmr_enabler app making the CSP less strict¹

[Vue warn]: Failed to resolve async component: function() {
    var component = load();
    return {
      component,
      delay,
      timeout,
      error: errorComponent,
      loading: loadingComponent
    };
  }
Reason: CKEditorError: ckeditor-duplicated-modules
Read more: https://ckeditor.com/docs/ckeditor5/latest/support/error-codes.html#error-ckeditor-duplicated-modules vue.runtime.esm.js:4625:20

3. After disabling the hmr_enabler, I'm getting the warnings from 1 and 2 in the console.

4. @GVodyanov doesn't see the problem and is using Node 22. Switching to Node 22 does not resolve it for me.

5. I'm seeing the same with Chromium.

Footnotes

1. https://github.com/nextcloud/hmr_enabler/blob/b410903e4d25028b46a30f01f777b8fce696f591/lib/Listener/LaxifyCSP.php#L22-L23 ↩