From version 24.12.4.1 onwards CSP directives in coolwsd.xml are being ignored

When upgrading the CODE docker image in our system from version 24.04.12.3.1 to 24.04.12.4.1 (and any of the subsequent versions), the response header returned from the <collabora-host>/browser/30822a710f/cool.html endpoint no longer includes the extra frame-ancestors values as supplied in coolwsd.xml’s <content_security_policy/> element.

This throws the following browser error and stops the iframe from loading Collabora :
Refused to frame 'https://<our-collabora-online-host>' because an ancestor violates the following Content Security Policy directive: "frame-ancestors <our-collabora-online-host>:* <our-collabora-online-internal-host>:*"

This header value when returned from 24.04.12.3.1 and earlier versions has all the additional values prepended to the header before the two default ones allowing the iframe to load Collabora.

Is this a known issue? I can’t find anything from scouring this forum or the web.

Any help appreciated. Thanks!

Hii @PaddyTB

Let me check the commit details between this 2 version. It maybe it was an intentional change to fix something.

Thanks
Darshan

1 Like

Thanks @darshan - fingers crossed its something obvious.

Just want to say that,

You’re welcome to join the community meeting to share your thoughts, ideas, or get involved in Collabora Online—it’s a public meeting.

We hold it every Thursday, and we also have TTT (Tea Time Training) every Friday to educate and explore more topics on Collabora Online.

Cheers
Darshan

Thanks @darshan I’ll try to call in :slight_smile:

Did you have any joy looking at the commits? Should I log this formally as a bug? Seems too big of an issue for it not to have affected anyone else…

Let me check the commit details between this 2 version. It maybe it was an intentional change to fix something.

Hi @darshan sorry to chase this - did you find anything? Should I go ahead and log this as a bug?

hii @PaddyTB

I have busy with some other development stuff. Sorry i haven’t got time to look this issue.

Yes please feel free to report it. As soon as i got time i will jump on to this issue…

Once again sorry

Thanks
Darshan

Hi @darshan no worries and thanks for responding - I see you are very busy!

Hi @darshan,

I’ve added this bug: CSP directives in coolwsd.xml are being ignored from CODE v24.12.4.1 onwards · Issue #11573 · CollaboraOnline/online · GitHub

Let me know if it needs any more info.

Thanks,
Paddy

1 Like