From version 24.12.4.1 onwards CSP directives in coolwsd.xml are being ignored

When upgrading the CODE docker image in our system from version 24.04.12.3.1 to 24.04.12.4.1 (and any of the subsequent versions), the response header returned from the <collabora-host>/browser/30822a710f/cool.html endpoint no longer includes the extra frame-ancestors values as supplied in coolwsd.xml’s <content_security_policy/> element.

This throws the following browser error and stops the iframe from loading Collabora :
Refused to frame 'https://<our-collabora-online-host>' because an ancestor violates the following Content Security Policy directive: "frame-ancestors <our-collabora-online-host>:* <our-collabora-online-internal-host>:*"

This header value when returned from 24.04.12.3.1 and earlier versions has all the additional values prepended to the header before the two default ones allowing the iframe to load Collabora.

Is this a known issue? I can’t find anything from scouring this forum or the web.

Any help appreciated. Thanks!

Hii @PaddyTB

Let me check the commit details between this 2 version. It maybe it was an intentional change to fix something.

Thanks
Darshan

1 Like

Thanks @darshan - fingers crossed its something obvious.

Just want to say that,

You’re welcome to join the community meeting to share your thoughts, ideas, or get involved in Collabora Online—it’s a public meeting.

We hold it every Thursday, and we also have TTT (Tea Time Training) every Friday to educate and explore more topics on Collabora Online.

Cheers
Darshan