Content Security Policy Headers and multiple trusted_domains

[awlx]

Hi everybody,

I got some complains of users that Nextcloud is not working anymore as in showing a blank page or not being able to login anymore.

I inspected the issue and saw, that Chrome forbids some content because of CSP violation. It happens for every trusted_domain except the "0" domain. Because background images and .js scripts seem to get delivered from the first domain in the array and thus are blocked.

It's nearly the same issue as here #4840 only that no Cloudflare is involved just more than one domain name.

http://i.imgur.com/iuWeGmC.png

Maybe it's a new bug?

[LukasReschke]

Duplicate of #5329 aka will be fixed with 12.0.1 (#5584)

[Zyplonox]

Im using apache 2.4.27 on a ubuntu 17.10 machine with MySQL and php 7.1.11. My Nextcloud version is 12.0.3. If i set the Content Security Policy Header i cant press the login button anymore. I used this to set the CSP:
Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP
Header add X-WebKit-CSP "default-src 'self'"

Regards