[Android App] Photos page always returns error

Question

[Android App] Photos page always returns error

Closed this issue 2 months ago · 3 comments

Describe the bug

I'm getting the "Failed to fetch" error every time I'm visiting the main timeline page.
My efforts to find blocked connections on the server side so far haven't turned up anything and I wasn't able to find anything relevant in Logcat on my phone.

Memories in Nextcloud is fully working and shows the timeline without issue. Preview Generator is working as well.

Steps To Reproduce

Open the memories app
Log in
Observe error on the default screen

Platform

- OS: Android 14 (LineageOS 21)
- Browser: Memories app (F-Droid, version 1.12)
- Memories Version: 7.4.1
- Nextcloud Version: 29.0.8
- PHP Version: 8.2.24

Screenshots

No response

Additional context

I'm running Nextcloud with Apache2, but behind an nginx reverse proxy. Here are the relevant lines from the log for both:

nginx

178.194.142.206 - - [04/Nov/2024:17:43:22 +0100] "GET /index.php/apps/memories/api/days HTTP/2.0" 200 1161 "https://nextcloud.exu.li/index.php/apps/memories/" "MemoriesNative/1.12 Mozilla/5.0 (Linux; Android 10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.76 Mobile Safari/537.36"
178.194.142.206 - - [04/Nov/2024:17:43:22 +0100] "POST /index.php/apps/memories/api/days HTTP/2.0" 200 802 "https://nextcloud.exu.li/index.php/apps/memories/" "MemoriesNative/1.12 Mozilla/5.0 (Linux; Android 10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.76 Mobile Safari/537.36"

apache2

172.18.50.51 - - [04/Nov/2024:17:43:10 +0100] "POST /index.php/apps/memories/api/days HTTP/1.1" 200 1509
172.18.50.51 - - [04/Nov/2024:17:43:10 +0100] "GET /index.php/apps/memories/api/days HTTP/1.1" 200 1869

Answer 1 · 2024-11-04T17:19:48.000Z

On a whim I decided to disable all Content Security Policies and restart the app.
Without CSPs the page loads normally.

How can I figure out which policy is missing?

Current CSP:

add_header Content-Security-Policy "connect-src 'self'; default-src 'none'; font-src 'self' data:; frame-src 'self' https://onlyoffice.exu.li; img-src 'self' data: https://* blob:; media-src 'self'; script-src-elem 'self' 'unsafe-inline' https://onlyoffice.exu.li; style-src-elem 'self' 'unsafe-inline'; style-src-attr 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self';";

Answer 2 · 2024-11-05T02:43:37.000Z

Nextcloud sets csp automatically. You don't need to set it like this.

Answer 3 · 2024-11-05T09:28:04.000Z

Thanks, I didn't know that.
I guess I always had some form of security policy with X-Frame-Options and later CSP active, so I never noticed.