Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Referrer-Policy warning after upgrade to Nextcloud 15 #12513

Closed
Nils160988 opened this issue Nov 18, 2018 · 13 comments
Closed

False Referrer-Policy warning after upgrade to Nextcloud 15 #12513

Nils160988 opened this issue Nov 18, 2018 · 13 comments
Labels
bug

Comments

@Nils160988
Copy link
Contributor

Steps to reproduce

  1. Log in to your nextcloud with an account with administrative privileges
  2. Click on "Overview"

Expected behaviour

No warnings are shown (like in 14.03 pre-upgrade)

Actual behaviour

Referrer-Policy warning shows up, although it has been set to "strict-origin".

This false warning has also been shown with Beta 1 but not for 14.03.
Changing the configuration to the newly implemented same-origin does not make a difference for Beta 2 but for 14.03 since

Server configuration

Operating system: Ubuntu 16.04.5

Web server: Apache/2.4.18

Database: 10.0.36-MariaDB

PHP version: 7.0.32-0ubuntu0.16.04.1

Nextcloud version: 15.0.0 beta 2

Updated from an older Nextcloud/ownCloud or fresh install: Updated

Where did you install Nextcloud from:

List of activated apps:

App list 
If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder
Enabled:
  - accessibility: 1.1.0
  - activity: 2.8.2
  - bruteforcesettings: 1.2.0
  - cloud_federation_api: 0.1.0
  - comments: 1.5.0
  - dav: 1.7.2
  - federatedfilesharing: 1.5.0
  - federation: 1.5.0
  - files: 1.10.0
  - files_pdfviewer: 1.4.0
  - files_sharing: 1.7.0
  - files_texteditor: 2.7.0
  - files_trashbin: 1.5.0
  - files_versions: 1.8.0
  - files_videoplayer: 1.4.0
  - firstrunwizard: 2.4.0
  - gallery: 18.2.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.3.0
  - nextcloud_announcements: 1.4.0
  - notifications: 2.3.0
  - oauth2: 1.3.0
  - password_policy: 1.5.0
  - provisioning_api: 1.5.0
  - serverinfo: 1.5.0
  - sharebymail: 1.5.0
  - survey_client: 1.3.0
  - systemtags: 1.5.0
  - theming: 1.6.0
  - twofactor_backupcodes: 1.4.1
  - updatenotification: 1.5.0
  - workflowengine: 1.5.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - support
  - user_external
  - user_ldap
</details>

**Nextcloud configuration:**
<details>
<summary>Config report</summary>

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or

Insert your config.php content here.
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)
{
"system": {
"instanceid": "REMOVED SENSITIVE VALUE",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
XXXXXX"
],
"datadirectory": "REMOVED SENSITIVE VALUE",
"overwrite.cli.url": "httpsXXXX",
"htaccess.RewriteBase": "/",
"dbtype": "mysql",
"version": "15.0.0.6",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"memcache.local": "\OC\Memcache\APCu",
"mail_smtpmode": "sendmail",
"mail_smtpauthtype": "LOGIN",
"mail_from_address": "REMOVED SENSITIVE VALUE",
"mail_domain": "REMOVED SENSITIVE VALUE",
"updater.release.channel": "beta",
"skeletondirectory": "/var/www/default-files",
"maintenance": false,
"loglevel": 2,
"theme": "",
"updater.secret": "REMOVED SENSITIVE VALUE"
}
}

Are you using external storage, if yes which one: local

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Firefox 63.0

Operating system: Ubuntu 18.04.01
@Nils160988 Nils160988 changed the title False Referrer-Policy warning False Referrer-Policy warning after upgrade to Nextcloud 15 Nov 18, 2018
@nextcloud-bot
Copy link
Member

GitMate.io thinks possibly related issues are #4908 (Problem upgrading NextCloud), #11202 (Nextcloud 14 Upgrade issue. ), #5599 (Contacts duplicate after upgrade to Nextcloud 12.0), #12507 (App Page not available after Upgrade to 15 Beta 2), and #12497 (Update with updater from Nextcloud 15 Beta 1 to Beta 2 not possible).

@Nils160988
Copy link
Contributor Author

This issue also shows up on another instance after upgrade from 14.03 to 14.04.

@xxKeith20xx
Copy link

xxKeith20xx commented Nov 22, 2018
edited
Loading

Just upgraded to 14.04 and found this warning. Once I commented it out from my vhost file, the warning went away:

Apache/2.4.25 (Debian)

# <IfModule mod_headers.c>
#Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
#Header always set Referrer-Policy "no-referrer"
# </IfModule>

I've left the defaults intact in the NextCloud .htaccess:

 grep -ni referrer .htaccess
19:    Header set Referrer-Policy "no-referrer"

Perhaps having both caused a conflict?

@Scindix
Copy link

Scindix commented Nov 26, 2018

I had this issue as well after upgrading from 14.03 to 14.04. And it was fixed for me as well by removing one of the header directives (either the one in my sites.conf or the one in .htaccess).

While inspecting the issue I found out that setting the directives in two places causes Apache to send the header twice. So Nextcloud probably gets confused when that header is present multiple times.

This was referenced Nov 27, 2018
Closed
Closed
@Nils160988
Copy link
Contributor Author

I can confirm that the behavior has been introduced for 14.04 and persists for 15 RC1.

@ncodeyx
Copy link

ncodeyx commented Nov 29, 2018

Can confirm this is an issue on Nextcloud 14.04 as well.

@m1d1
Copy link

m1d1 commented Dec 10, 2018

I can confirm @Scindix finding. Identical header settings on two different locations (apache conf file /.htaccess) was causing the trouble.

@J0WI
Copy link
Contributor

J0WI commented Dec 11, 2018
edited
Loading

See also nextcloud/documentation#674 and #8207

@MorrisJobke MorrisJobke mentioned this issue Jan 3, 2019
Closed
@sruckh
Copy link

sruckh commented Jan 15, 2019
edited
Loading

This is also true for stable 14.0.6 release. Referrer policy is set to no-referrer. The website Security Headers correctly identifies the referrer policy has been configured, but "Security & setup warnings" warning from nextcloud incorrectly reports that referrer policy is not set.

@kesselb kesselb mentioned this issue Mar 8, 2019
Closed
@Nils160988
Copy link
Contributor Author

As I understand it now, it is no longer recommended to configure the referrer policy in the apache-config (according to the Nextcloud 15 docs) because the htaccess takes care of it.

Is this correct? Then this issue should be closed I think.

@sruckh
Copy link

sruckh commented Mar 9, 2019

In my particular case I am running Lighttpd with now, nextcloud stable version 15.0.5, so the .htaccess would not help. The warning, The "Referrer-Policy" HTTP header is still displayed on the Settings->Administration->Overview Screen.

@kesselb
Copy link
Contributor

kesselb commented Mar 9, 2019

Header is set by nextcloud. If you set the header with your lighttpd remove it there.

@sruckh
Copy link

sruckh commented Mar 9, 2019

I can confirm that now removing the header from the lighttpd .conf file does indeed remove the warning. Thank You.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
11 participants
@kesselb @m1d1 @J0WI @Scindix @nextcloud-bot @violoncelloCH @xxKeith20xx @Nils160988 @sruckh @ncodeyx and others