How to disable the Content Security Policy ?

[vipera7]

Steps to reproduce

1. Put some css file (fonts and styling) to core/templates/layout.user.php
2. Getting error fromCSP

Expected behaviour

Getting no error and the files are styling the page.

Actual behaviour

Here is a screen of what is happening

Server configuration

Operating system:
Centos 7

Web server:
Apache/2.4.6

Database:
MariaDB 5.5.52

PHP version:
PHP 7.1.16

Nextcloud version: (see Nextcloud admin page)
13.0.1

List of activated apps

PDF viewer
Activity
Collaborative tags
Comments
Deleted files
Federation
File sharing
First run wizard
Gallery
Log Reader
Monitoring
Nextcloud announcements
Notifications
Password policy
Share by mail
Text editor
Update notification
Usage survey
Versions
Video player
Auditing / Logging
Default encryption module
External storage support
External user support
LDAP user and group backend
Theming

Nextcloud configuration:

Config report

<?php
$CONFIG = array (
  'instanceid' => 'ocfmjtjiaobh',
  'passwordsalt' => 'salt',
  'secret' => 'secret',
  'trusted_domains' => 
  array (
    0 => '192.168.0.31',
  ),
  'datadirectory' => '/var/www/html/nextcloud/data',
  'overwrite.cli.url' => 'http://192.168.0.31/nextcloud',
  'dbtype' => 'mysql',
  'version' => '13.0.1.1',
  'dbname' => 'nextclouddb',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextclouduser',
  'dbpassword' => 'pass',
  'installed' => true,
  'theme' => 'seedbox',
  'integrity.check.disabled' => true,
);

Are you using encryption: yes/no
No

Client configuration

Browser:
Chrome

[MorrisJobke]

Disabling this is not possible for core. You could change the policy in your own app: https://docs.nextcloud.com/server/13/developer_manual/app/controllers.html#modifying-the-content-security-policy

Also manipulating server files is also on your own risk, because it could break the whole system.

If you want to add custom CSS only then maybe the custom css app by @juliushaertl is the best way to accomplish this: https://github.com/juliushaertl/theming_customcss

[vipera7]

@MorrisJobke Well my fonts are in my theme folder and still cannot open it. And i would like to know why nextcloud take only css but not my templates.

[MorrisJobke]

Put some css file (fonts and styling) to core/templates/layout.user.php

This is not supported. Also the theme is nowhere mentioned in the report. The only issue visible in the screenshot is that it wants to load some fonts from google servers which is refused due to the valid CSP. Please either put all the fonts in there to not load stuff from google servers. Then the error message should be gone. For further help I would recommend the forums at https://help.nextcloud.com because this is a bug tracker for the server component.

[shanzhen]

If you are using apache2 as web server. just add this to
sites-available/nextcloud.conf

    <IfModule mod_headers.c>
        Header unset Content-Security-Policy
    </IfModule>

to strip the CSP header from nextcloud.

It's less secure, of course.