Setup check for .well-known/caldav & carddav broken on Firefox #11773
Description
Steps to reproduce
- Log in using Firefox
- go to //settings/admin/overview
- Look under Security & setup warnings
Expected behaviour
I should see (This happens in Chrome)
All checks passed.
Actual behaviour
I see (Using Firefox)
There are some warnings regarding your setup.
- Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.
- Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.
Server configuration
Operating system: Linux: Devuan 2.0.0
Web server: Apache 2.4.25 (behind Nginx 1.14.0 proxy)
Database: PostgreSQL 6.9.6
PHP version: 7.0.30
Nextcloud version: 14.0.2 (Also happened in 14.0.2 RC2, but I figured it got fixed in #11738)
Updated from an older Nextcloud: Updated from previous RC
Client configuration
Browser: Firefox 60.2.2esr (64-bit)
Operating system: Linux: Devuan 2.0.0
What seems to happen:
Firefox:
- The setup-check requests
https://fnp.tubul.net/.well-known/caldav, which is redirected:
Request headers
PROPFIND /.well-known/caldav HTTP/1.1 Host: fnp.tubul.net User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-GB,en-US;q=0.8,en;q=0.5,nl;q=0.3 Accept-Encoding: gzip, deflate, br requesttoken: *****:***** OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Cookie: __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=*****; nc_token=*****; nc_session_id=***** oc_sessionPassphrase=*****; ocaed*****=***** DNT: 1 Connection: keep-alive
Response headers (empty body)
HTTP/2.0 301 Moved Permanently server: nginx/1.14.0 date: Thu, 11 Oct 2018 12:15:38 GMT content-type: text/html; charset=iso-8859-1 content-length: 244 location: http://fnp.tubul.net/remote.php/dav/ x-clacks-overhead: GNU Terry Pratchett strict-transport-security: max-age=31536000; includeSubDomains; preload X-Firefox-Spdy: h2
- The redirected request to
https://fnp.tubul.net/remote.php/dav/returns a401:
Request headers
PROPFIND /remote.php/dav/ HTTP/1.1 Host: fnp.tubul.net User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-GB,en-US;q=0.8,en;q=0.5,nl;q=0.3 Accept-Encoding: gzip, deflate, br requesttoken: *****:***** OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest DNT: 1 Connection: keep-alive
Response headers
HTTP/2.0 401 Unauthorized server: nginx/1.14.0 date: Thu, 11 Oct 2018 12:15:39 GMT content-type: application/xml; charset=utf-8 content-length: 235 expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache set-cookie: ocaed*****=******; path=/; secure; HttpOnly oc_sessionPassphrase=*****; path=/; secure; HttpOnly __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict content-security-policy: default-src 'self' tubul.net *.tubul.net;child-src 'self' tubul.net *.tubul.net www.openstreetmap.org;frame-ancestors 'self' tubul.net *.tubul.net;style-src 'self' tubul.net 'unsafe-inline';script-src 'unsafe-inline' 'unsafe-eval' 'self';object-src 'none';img-src https: data: blob:; font-src 'self' data: blob:;connect-src *;upgrade-insecure-requests x-frame-options: SAMEORIGIN www-authenticate: DummyBasic realm="Tubul" x-content-type-options: nosniff x-xss-protection: 1; mode=block referrer-policy: no-referrer x-robots-tag: none x-download-options: noopen x-permitted-cross-domain-policies: none strict-transport-security: max-age=31536000; includeSubDomains; preload X-Firefox-Spdy: h2
Response body:
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
<s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
<s:message>Cannot authenticate over ajax calls</s:message>
</d:error>
In Chrome (where the check works fine)
- The setup-check request is redirected:
Request headers
accept: */* accept-encoding: gzip, deflate, br accept-language: en-US,en;q=0.9,nl;q=0.8 cookie: oc_sessionPassphrase=*****; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocaed*****=*****; nc_username=*****; nc_token=*****; nc_session_id=***** dnt: 1 ocs-apirequest: true origin: https://fnp.tubul.net requesttoken: *****:***** user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 x-requested-with: XMLHttpRequest
Response headers (empty body)
content-length: 244 content-type: text/html; charset=iso-8859-1 date: Thu, 11 Oct 2018 12:40:15 GMT location: http://fnp.tubul.net/remote.php/dav/ server: nginx/1.14.0 status: 301 strict-transport-security: max-age=31536000; includeSubDomains; preload x-clacks-overhead: GNU Terry Pratchett
- The redirected request to
https://fnp.tubul.net/remote.php/dav/returns a207:
Request headers
accept: */* accept-encoding: gzip, deflate, br accept-language: en-US,en;q=0.9,nl;q=0.8 cookie: oc_sessionPassphrase=*****; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc*****=*****; nc_username=*****; nc_token=*****; nc_session_id=***** dnt: 1 ocs-apirequest: true origin: https://fnp.tubul.net requesttoken: *****:***** user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 x-requested-with: XMLHttpRequest
Response headers
cache-control: no-store, no-cache, must-revalidate content-length: 5547 content-security-policy: default-src 'self' tubul.net *.tubul.net;child-src 'self' tubul.net *.tubul.net www.openstreetmap.org;frame-ancestors 'self' tubul.net *.tubul.net;style-src 'self' tubul.net 'unsafe-inline';script-src 'unsafe-inline' 'unsafe-eval' 'self';object-src 'none';img-src https: data: blob:; font-src 'self' data: blob:;connect-src *;upgrade-insecure-requests content-type: application/xml; charset=utf-8 date: Thu, 11 Oct 2018 12:40:15 GMT dav: 1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, nc-calendar-search, nc-enable-birthday-calendar expires: Thu, 19 Nov 1981 08:52:00 GMT pragma: no-cache referrer-policy: no-referrer server: nginx/1.14.0 status: 207 strict-transport-security: max-age=31536000; includeSubDomains; preload vary: Brief,Prefer x-content-type-options: nosniff x-download-options: noopen x-frame-options: SAMEORIGIN x-permitted-cross-domain-policies: none x-robots-tag: none x-xss-protection: 1; mode=block
Response body:
<?xml version="1.0"?>
<d:multistatus xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:oc="http://owncloud.org/ns" xmlns:nc="http://nextcloud.org/ns"><d:response><d:href>/remote.php/dav/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/principals/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/files/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/calendars/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/system-calendars/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/public-calendars/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/addressbooks/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/systemtags/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/systemtags-relations/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/comments/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/uploads/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/avatars/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/trashbin/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/remote.php/dav/versions/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getlastmodified/><d:getcontentlength/><d:quota-used-bytes/><d:quota-available-bytes/><d:getetag/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response></d:multistatus>