Package: davical Version: 1.1.12-2 Hi,
At the end of its example / reference configuration file /etc/apache2/sites-available/davical.conf, davical defines a Content-Security-Policy, but forgets to bracket it with <Directory> instructions to scope it to its own resources. Should be: <Directory /usr/share/davical/htdocs> <FilesMatch "(admin|help|iSchedule|index|metrics|public|setup|tools|upgrade).php"> Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self' sis.redsys.es; frame-ancestors 'self'" </FilesMatch> </Directory> ... or even better, move it up to the existing <Directory /usr/share/davical/htdocs> scope on top of the file, along with all the other items. Without such scoping, the Content-Security-Policy applies to *all* resources on the server, including those of other, unrelated web applications. In our case, this broke nextcloud by interfering with nextcloud's own Content-Security-Policy. Similar issue may exist with the RewriteRules, we noticed that nextcloud failed to correctly locate its .well-known resources. Davical should only rewrite those .well-known resources that it specifically supplies, rather than (.*) Thanks for fixing this, Alain
