Skip to content

Combining terms_of_service and forms leads to busyloop #1151

New issue
New issue
Open
Open
Combining terms_of_service and forms leads to busyloop#1151
Labels
0. Needs triagebug
@christian-heusel

Description

@christian-heusel
christian-heusel
opened on Mar 9, 2026

How to use GitHub

  • Please use the 👍 reaction to show that you are affected by the same issue.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Steps to reproduce

  1. Setup forms & terms of service
  2. Embed a form into another webpage
  3. Observe that the browser is running in circles while fetching a CSRF token, failing and repeat

Expected behaviour

The extension should either display the ToS banner or bail. In the best case it would also be configurable whether the banner is shown at all in forms.

Actual behaviour

You can test this by going to this test site and check the network tab via f12:

https://pkgbuild.com/~gromit/nextcloud-tos-issue/

Image

Server configuration

(this is a hosted product https://www.hetzner.com/storage/storage-share/ but the hoster does a mostly standard nextcloud deployment)

Web server: I don't know

Database: mysql

PHP version: 8.3.29

Nextcloud version: 31.0.13

List of activated apps 
Enabled:
  - activity: 4.0.0
  - admin_audit: 1.21.0
  - announcementcenter: 7.2.2
  - bruteforcesettings: 4.0.0
  - calendar: 5.5.15
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contacts: 7.3.16
  - contactsinteraction: 1.12.1
  - dav: 1.33.0
  - deck: 1.15.6
  - external: 6.0.2
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_downloadlimit: 4.0.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.2
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - firstrunwizard: 4.0.0
  - forms: 5.2.4
   - groupfolders: 19.1.17
  - impersonate: 2.0.1
  - lookup_server_connector: 1.19.0
  - nextcloud_announcements: 3.0.0
  - notifications: 4.0.0
  - notify_push: 1.3.0
  - oauth2: 1.19.1
  - onlyoffice: 9.13.0
  - password_policy: 3.0.0
  - passwords: 2026.2.10
  - photos: 4.0.0
  - polls: 8.6.3
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - quota_warning: 1.23.0
  - recommendations: 4.0.0
   - related_resources: 2.0.0
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - support: 3.0.0
  - survey_client: 3.0.0
  - systemtags: 1.21.1
  - tasks: 0.17.1
  - terms_of_service: 4.6.1
  - text: 5.0.2
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - twofactor_email: 2.8.5
  - twofactor_nextcloud_notification: 5.0.0
  - twofactor_totp: 13.0.0-dev.0
   - twofactor_webauthn: 2.6.0
  - updatenotification: 1.21.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0
Disabled:
  - app_api: 5.0.2 (installed 4.0.6)
  - appointments: 2.6.2 (installed 2.6.2)
  - apporder: 0.15.0 (installed 0.15.0)
  - dashboard: 7.11.0 (installed 7.4.0)
  - encryption: 2.19.0
  - files_external: 1.23.0
  - files_rightclick: 0.15.1 (installed 0.15.1)
  - geoblocker: 0.5.19 (installed 0.5.19)
  - group_everyone: 0.1.19 (installed 0.1.19)
  - logreader: 4.0.0 (installed 2.13.0)
  - notes: 4.13.0 (installed 4.13.0)
  - suspicious_login: 9.0.1 (installed 4.2.1)
  - user_ldap: 1.22.0
Nextcloud configuration 
If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

Browser

Browser name: Firefox & Chrome

Browser version: firefox 148.0 & google-chrome 145.0.7632.159

Operating system: Arch Linux

Browser log 
xhr.js:195  GET https://www.ejtcloud.de/ocs/v2.php/apps/terms_of_service/terms 412 (Precondition Failed)
(anonymous) @ xhr.js:195
xhr @ xhr.js:15
Ws @ dispatchRequest.js:51
_request @ Axios.js:187
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16Understand this error
index.mjs:12 Request to https://www.ejtcloud.de/ocs/v2.php/apps/terms_of_service/terms failed because of a CSRF mismatch. Fetching a new token
(anonymous) @ index.mjs:12
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16Understand this warning
xhr.js:195  GET https://www.ejtcloud.de/ocs/v2.php/apps/terms_of_service/terms 412 (Precondition Failed)
(anonymous) @ xhr.js:195
xhr @ xhr.js:15
Ws @ dispatchRequest.js:51
_request @ Axios.js:187
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16Understand this error
index.mjs:12 Request to https://www.ejtcloud.de/ocs/v2.php/apps/terms_of_service/terms failed because of a CSRF mismatch. Fetching a new token
(anonymous) @ index.mjs:12
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16
Promise.then
_request @ Axios.js:196
request @ Axios.js:40
(anonymous) @ bind.js:5
(anonymous) @ index.mjs:16Understand this warning
xhr.js:195  GET https://www.ejtcloud.de/ocs/v2.php/apps/terms_of_service/terms 412 (Precondition Failed)

Metadata

Metadata

Assignees

No one assigned

    Labels

    0. Needs triagebug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions