Content Security Policy (CSP) is a security standard intended to prevent some threats, such as Cross-Site Scripting (XSS) attacks etc. When CSP is enabled, it allows to load the contents from the approved sources only. Particularly, it prohibits requests to third-party domains which have not been explicitly allowed.

If you are using ONLYOFFICE Docs (Enterprise Edition or Developer Edition) integrated with your web solution, and if CSP is enabled on your web server to improve safety and security measures, the CSP default settings may cause some issues. ONLYOFFICE Online Editors include a number of plugins, some of which use third-party resources and make requests to third-party domains, e.g. the YouTube plugin. As CSP prohibits requests to third-party domains, this prevents plugins from proper working, e.g. block loading YouTube video.

Adding third-party domains to the list of allowed sources

For plugins to work correctly you need to allow requests to certain domains (the full list of domains is available below). This can be done by changing the HTTP header which enables CSP. Depending on the solution that you use, this header can be located in different files. This instruction describes the basic principles, not the individual cases. The header should look like this:

Header set Content-Security-Policy "default-src 'self'; script-src 'self'; connect-src 'self';  img-src 'self'; style-src 'self';"

This string contains directives which specify the allowed sources for different types of content: scripts, stylesheets, fonts, images, HTML5 <audio> or <video> elements etc.

The default-src directive is applied when a directive for a certain resource type is not specified.

‘self’ means that the contents can be loaded from the the current domain only.

It’s necessary to edit the default-src directive adding the trusted domains values:

default-src 'self' *.trusted1.com *.trusted2.com

This will allow to make requests to and load contents from the specified trusted domains *.trusted1.com and *.trusted2.com including their subdomains.

Third-party domain list

The following plugins make requests to third-party domains:

Plugin	Domain
`clipart`	https://openclipart.org
`speech`	https://code.responsivevoice.org
`youtube`	https://www.youtube.com
`thesaurus`	https://words.bighugelabs.com
`translate`	https://translate.yandex.net
`ocr`	https://cdn.rawgit.com

The following plugins from the listed above are included into ONLYOFFICE Online Editors by default: ocr, speech, thesaurus, translate, youtube.

The clipart plugin is not included into online editors, but it is available on https://github.com/ONLYOFFICE/sdkjs-plugins and you can add it to editors manually.

To add all the mentioned domains into the list of allowed sources, the HTTP header should look like this:

Header set Content-Security-Policy "default-src 'self' *openclipart.org *code.responsivevoice.org *www.youtube.com *words.bighugelabs.com *translate.yandex.net *cdn.rawgit.com; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"

if you additionally configured ONLYOFFICE Enterprise Edition to use CSP and enabled the wordpress and easybib plugins, you’ll also need to specify the *wordpress.com and *easybib.com domains.

Download Host on your own server Available for
Docker, Windows and Linux

Voci con l'etichetta :

Changelog

Centro assistenza

ONLYOFFICE Docs Developer Edition

Working with plugins when using CSP

Introduction

Adding third-party domains to the list of allowed sources

Third-party domain list