Begin of the insertionOpenProject's front-end needs to allow the browser to connect toEnd of the insertion Begin of the deletion Extend CSP `connect-src` with all addresses ofEnd of the deletion external file Begin of the insertionservers for direct file uploads. Therefore it needs to extend its content security policy (CSP) \`connect-src\` byEnd of the insertion Begin of the deletion storages where

* End of the deletion the Begin of the insertionhost names of all servers that the current userEnd of the insertion Begin of the deletion storageEnd of the deletion is Begin of the insertionallowed to upload files. That is the case for all storages that activatedEnd of the insertion Begin of the deletion activeEnd of the deletion in at least one Begin of the insertionactiveEnd of the insertion project Begin of the insertionin whichEnd of the insertion Begin of the deletion whereEnd of the deletion the Begin of the deletion currentEnd of the deletion user is member and has the permission to Begin of the insertion\`manage\_file\_links\`.End of the insertion Begin of the deletion `manage_file_links` (other storages are not exposed)
* End of the deletion The Begin of the insertionallowed values can be different for everyEnd of the insertion Begin of the deletion appended bit gets cached perEnd of the deletion user Begin of the insertionand can change every time a store gets activated, removed, a role changes, or even project memberships. Caching it, without accessing the DB seems to be pretty impossible. So we decided to not do itEnd of the insertion for Begin of the insertionnow.

We extend the CSP for all HTML requests as work packages can pop in many places of OpenProject, and we want to be able to upload in all those places (work packages module, BCF module, notification center, boards, ...).End of the insertion Begin of the deletion 10 secondsEnd of the deletion