[Bug]: Request does not pass strict cookie check NC 31

[donniewr]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

I’m getting a lot more “Request does not pass strict cookie check” errors since I upgraded to NC 31. It seems to happen most often on Apple devices and with publicly shared video links. Page become empty.

Steps to reproduce

1.Share a public link (Video)
2.Access the link on an Apple device.

This issue doesn't occur on my Apple devices, but all the logs from my users indicate they are using Apple devices.

Expected behavior

A video player.

Nextcloud Server version

31

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.3

Web server

Nginx

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.domain.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "31.0.3.2",
        "overwrite.cli.url": "https:\/\/cloud.domain.com",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "htaccess.RewriteBase": "\/",
        "skeletondirectory": "",
        "default_language": "en",
        "knowledgebaseenabled": false,
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_sendmailmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "updater.release.channel": "stable",
        "default_phone_region": "US",
        "theme": "",
        "loglevel": 2,
        "simpleSignUpLink.shown": false,
        "app_install_overwrite": [
            "group_default_quota",
            "breezedark",
            "transfer"
        ],
        "enforce_theme": "dark",
        "profile.enabled": false,
        "defaultapp": "files",
        "maintenance_window_start": 1,
        "files.chunked_upload.max_size": 0
    }
}

List of activated Apps

Enabled:
  - app_api: 5.0.2
  - bruteforcesettings: 4.0.0
  - cloud_federation_api: 1.14.0
  - dav: 1.33.0
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_downloadlimit: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - notifications: 4.0.0
  - oauth2: 1.19.1
  - password_policy: 3.0.0
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - theming: 2.6.1
  - theming_customcss: 1.18.0
  - twofactor_backupcodes: 1.20.0
  - updatenotification: 1.21.0
  - viewer: 4.0.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0

Nextcloud Signing status

Nextcloud Logs

{"reqId":"HOHCuiZu15Brx99H8CBz","level":2,"time":"2025-04-12T12:17:58+00:00","remoteAddr":"IP","user":false,"app":"no app in context","method":"GET","url":"/public.php/dav/files/iKpgJZIOPiG82f/?accept=zip","message":"Request does not pass strict cookie check","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 18_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.2 Mobile/15E148 Safari/604.1","version":"31.0.3.2","data":[],"id":"67fa642eee18b"}

Additional info

Could it be the "accept=zip" in the URL, no sure why it's here.

[susnux]

Could it be the "accept=zip" in the URL, no sure why it's here.

That is a request to download that folder as a zip file

[susnux]

In general this warning will be shown if the user tries to visit an API URL without previously visiting any cloud website, meaning the client is sending either no strict cookies (but at least on other cookie) or strict cookies of an old version.