ownnote and tinymce problems in Nextcloud 11

[ghost]

Hi there,

I get the browser debug messages that it cannot load the tinymce because of security policy. I added the policy of others own cloud apps but it does not help. In some circumstances it worked for a short time until restart of apache. Sometimes I get a not editable text of the note. Normally it does not show my editor or text. Tried activation of ssl and a ton of other ideas from this tracker but it does not come back.
Owncloud 8 did work before I did update, so it should not be a problem with apache or setup files.
Update to new tinymce does also not help.

Any ideas?

[q4z1]

Hi,

here is a workaround:

I added a "nonce" attribute to every generated "<script>" tag and removed a useless iframe src - following files are changed:

• apps/ownnote/templates/main.php - top of the file before the opening <?php tag:

insert
<input type="hidden" name="nextNonce" id="nextNonce" value="<?php p(\OC::$server->getContentSecurityPolicyNonceManager()->getNonce()) ?>" />

• apps/ownnote/js/tinymce/tinymce.min.js - line 2735:

replace
l = a.uniqueId(), s = document.createElement("script"), s.id = l, s.type = "text/javascript", s.src = t._addCacheSuffix(e), "onreadystatechange" in s ? s.onreadystatechange = function() {

with
l = a.uniqueId(), s = document.createElement("script"), s.setAttribute("nonce", document.getElementById("nextNonce").value), s.id = l, s.type = "text/javascript", s.src = t._addCacheSuffix(e), "onreadystatechange" in s ? s.onreadystatechange = function() {

• apps/ownnote/js/tinymce/tinymce.min.js - line 8515:

replace
}, k.setAttrib(y, "src", u || 'javascript:""'), t.contentAreaContainer = l.iframeContainer, t.iframeElement = y, s = k.add(l.iframeContainer, y), O) try {

with
}, k.setAttrib(y, "src", u || ''), t.contentAreaContainer = l.iframeContainer, t.iframeElement = y, s = k.add(l.iframeContainer, y), O) try {

These changes keep the new CSP features from nextcloud without the need of changing CSP header in a core-file of nextcloud ;)

[ghost]

I found another workaround:
Open firefox,
enter about:config.
Then set security.csp.enabled to false.
I will try now above code change ...

[ghost]

The above code change is working perfect.
I can now reenable the CSP in firefox.
Thank you for your help.

[bakfietz]

@q4z1 : The fix works fine for Firefox. Still not able to edit using Chrome. Any suggestions?

Google Chrome	55.0.2883.87 (Official Build) (64-bit)
Revision	ad0be09aa3ca814168d079b52825f6f80e22f0e8-refs/branch-heads/2883@{#723}
OS	Linux 
JavaScript	V8 5.5.372.32
Flash	24.0.0.186
User Agent	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

[bakfietz]

@q4z1:

@q4z1 : The fix works fine for Firefox. Still not able to edit using Chrome. Any suggestions?

Oops... Ofc, clearing cache worked :/

[bruderb]

clearing cache in Firefox is a good idea, too.
Thanks very much!