[Bug]: Nextcloud 31 - Install/Enable apps with ajax request to http

[wrenix]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

After updating to nextcloud container 31 in place.
Enable / Install App makes a second Request to "httpS:///apps/files/" which has a location-header in http response to "http:///apps/files/" (without TLS).
That seems to lead to a violate Content-Security-Policy" and shows an in console:

Content-Security-Policy: The page’s settings blocked the loading of a resource (connect-src) at https://<redacted>/apps/files/ because it violates the following directive: “connect-src 'self'”

And a Failure of Enable/Install the Apps in UI.

PS: It looks like the Apps are enabled (just that failure in UI)

Steps to reproduce

1. Install nextcloud 31 (with nginx-fpm and postgresql)
2. Enable Application

Expected behavior

No error message shown

Nextcloud Server version

31

Operating system

Other

PHP engine version

Other

Web server

Nginx

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 31 to 32)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

List of activated Apps

Nextcloud Signing status

Nextcloud Logs

Additional info

No response

[szaimen]

Hi, we need the output of occ config:list system for further debugging

[rafal11ck]

Hi, we need the output of occ config:list system for further debugging

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "overwrite.cli.url": "https:\/\/***REMOVED MANUALLY SENSITIVE VALUE***",
        "forwarded_for_headers": [
            "HTTP_X_FORWARDED_FOR"
        ],
        "maintenance_window_start": 1,
        "default_phone_region": "PL",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "upgrade.disable-web": true,
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "***REMOVED MANUALLY SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "31.0.0.18",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***"
    }
}

[kesselb]

Reminds me about #44685

[szaimen]

@rafal11ck can you try to set overwritehost in your config and check if that fixes this?

[rafal11ck]

I set it in a way from mentioned issue above

  'overwritehost' => 'cloud.yyyyy.be',

  'overwritehost' => 'cloud.yyyyy.be:443',

neither works.

[rafal11ck]

PS: It looks like the Apps are enabled (just that failure in UI)

regarding this

2025-03-04.12-30-49.mp4

[wrenix]

my test setup:

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "hide_login_form": false,
        "skeletondirectory": "",
        "lost_password_link": "***REMOVED SENSITIVE VALUE***",
        "default_language": "en",
        "default_phone_region": "GB",
        "allow_local_remote_servers": true,
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "forwarded_for_headers": [
            "HTTP_X_FORWARDED_FOR"
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "***REMOVED SENSITIVE VALUE***",
            "mycloud-nextcloud-hr.mycloud-dev.svc.cluster.local"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "31.0.0.18",
        "overwrite.cli.url": "http:\/\/localhost",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "loglevel": 2,
        "maintenance": false,
        "preview_imaginary_url": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "enabledPreviewProviders": [
            "OC\\Preview\\Imaginary",
            "OC\\Preview\\MP3",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\OpenDocument"
        ],
        "upgrade.disable-web": true,
        "maintenance_window_start": 1,
        "app_install_overwrite": [
            "electronicsignatures",
            "secsignid",
            "maps",
            "checksum",
            "duplicatefinder",
            "inventory",
            "neon_web"
        ],
        "enable_previews": true
    }
}