Content
View differences
Updated by Kabiru Mwenja 3 months ago
#### Description Hi,
After configuring an Hocuspocus Server (deployed with docker) in OpenProject
When I try to edit a document, I have got an error :
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/918907/content">
In developer console, I've got this error :
`Connecting to 'wss://hocuspocus.xxxxxx.fr/' violates the following Content Security Policy directive: "connect-src 'self' https://hocuspocus.xxxxxx.fr". The action has been blocked.`
I added the CSP with :
`sudo openproject config:set OPENPROJECT_CSP_CONNECT_SRC="'self' https://hocuspocus.xxxxxx.fr wss://hocuspocus.xxxxxx.fr"`
I ran
`sudo openproject configure`
`sudo openproject restart`
<br>
When I check in command line :
`sudo openproject config:get OPENPROJECT_CSP_CONNECT_SRC`
It returns : `'self' https://hocuspocus.xxxxxx.fr wss://hocuspocus.xxxxxx.fr`
So config seems ok
But when I check content-security-policy header tabs in developer console of openproject pages, wss://hocuspocus.xxxxxx.fr is not present (only [https://hocuspocus.xxxxxx.fr](https://hocuspocus.xxxxxx.fr/) is included)
wss:// directives in OPENPROJECT\_CSP\_CONNECT\_SRC seems to be ignored and not injected in content-security-policy header, and the error for hocuspocus still present
How to inject wss properly in content-security-policy ?
<br>
#### Expected Behavior
* When configuring the hocuspocus server URL via the admin dashboard `<your-instance-url>/admin/settings/document_collaboration_settings` or via environment variable `OPENPROJECT_COLLABORATIVE__EDITING__HOCUSPOCUS__URL` it should be validated and feedback provided on invalid input E.g. inputting `https://` scheme instead of `ws://` scheme. There should also be clear form caption guiding the user on the expected input
<br>
**OpenProject installation type**
* Packaged installation
* Ubuntu 22.04
<br>
**OpenProject version 17.1.0 (Abonnement Enterprise)**
**Browser**
* [x] Chrome
* [x] Firefox
* [ ] Safari
* [ ] Mobile Safari
* [ ] Other (please specify)
<br>
After configuring an Hocuspocus Server (deployed with docker) in OpenProject
When I try to edit a document, I have got an error :
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/918907/content">
In developer console, I've got this error :
`Connecting to 'wss://hocuspocus.xxxxxx.fr/' violates the following Content Security Policy directive: "connect-src 'self' https://hocuspocus.xxxxxx.fr". The action has been blocked.`
I added the CSP with :
`sudo openproject config:set OPENPROJECT_CSP_CONNECT_SRC="'self' https://hocuspocus.xxxxxx.fr wss://hocuspocus.xxxxxx.fr"`
I ran
`sudo openproject configure`
`sudo openproject restart`
<br>
When I check in command line :
`sudo openproject config:get OPENPROJECT_CSP_CONNECT_SRC`
It returns : `'self' https://hocuspocus.xxxxxx.fr wss://hocuspocus.xxxxxx.fr`
So config seems ok
But when I check content-security-policy header tabs in developer console of openproject pages, wss://hocuspocus.xxxxxx.fr is not present (only [https://hocuspocus.xxxxxx.fr](https://hocuspocus.xxxxxx.fr/) is included)
wss:// directives in OPENPROJECT\_CSP\_CONNECT\_SRC seems to be ignored and not injected in content-security-policy header, and the error for hocuspocus still present
How to inject wss properly in content-security-policy ?
<br>
#### Expected Behavior
* When configuring the hocuspocus server URL via the admin dashboard `<your-instance-url>/admin/settings/document_collaboration_settings` or via environment variable `OPENPROJECT_COLLABORATIVE__EDITING__HOCUSPOCUS__URL` it should be validated and feedback provided on invalid input E.g. inputting `https://` scheme instead of `ws://` scheme. There should also be clear form caption guiding the user on the expected input
<br>
**OpenProject installation type**
* Packaged installation
* Ubuntu 22.04
<br>
**OpenProject version 17.1.0 (Abonnement Enterprise)**
**Browser**
* [x] Chrome
* [x] Firefox
* [ ] Safari
* [ ] Mobile Safari
* [ ] Other (please specify)
<br>