Internally Hosted Draw.IO is not usable, "This content is blocked. Contact the site owner to fix the issue."

BookStackApp / BookStack

A platform to create documentation/wiki content built with PHP & Laravel

https://www.bookstackapp.com/

MIT License

15.22k stars 1.9k forks source link

Internally Hosted Draw.IO is not usable, "This content is blocked. Contact the site owner to fix the issue." #5107

Closed thickconfusion closed 3 months ago

thickconfusion commented 3 months ago

Describe the Bug

Similar to #2285 , I am getting a gray page in Chrome that says "This content is blocked. Contact the site owner to fix the issue."

I have the following environment variables set for the container: DRAWIO=http://172.31.1.167:8080/?embed=1&proto=json&spin=1&configure=1&stealth=1 I have also attempted to modify this environment variable: ALLOWED_IFRAME_SOURCES=

I've tried:

The only one that "works" is if I make it ALLOWED_IFRAME_SOURCES="*", which seems like a security vulnerability even if I'm running this on a LAN.

Note: I can access the plain old Draw.IO interface just fine: http://172.31.1.167:8080, and it loads.

Steps to Reproduce

Edit a page, click the icon to work on a Draw.io image.

Expected Behaviour

I expect to load into a Draw.IO instance.

Screenshots or Additional Context

No response

Browser Details

Chrome and Edge on Windows 11

Exact BookStack Version

v24.05.2

ssddanbrown commented 3 months ago

Hi @thickconfusion,

You shouldn't need to adjust the iframe sources since BookStack will look to automatically add any custom drawio URL, where set, to the CSP rules. Maybe our custom handling is tripping up any additional rules you're adding.

It does look though like we are not currently handling scenarios where non-protocol-standard ports are used. I've marked this to be tested for next patch, against a custom-ported drawio instance.

Dev reference

https://github.com/BookStackApp/BookStack/blob/78ebcb6f38ee7a984b26cd56dff882ae9d7e9f95/app/Util/CspService.php#L144

thickconfusion commented 3 months ago

I commented out my ALLOWED_IFRAME_SOURCES line entirely, with my DRAWIO=http://172.31.1.167:8080/?embed=1&proto=json&spin=1&configure=1&stealth=1. I cleared browser cache, and I still have the problem. I again verified that I can launch http://172.31.1.167:8080 and Draw.IO loads just fine.

ssddanbrown commented 3 months ago

Sure, I was just saying that we attempt to handle this so you shouldn't have to set the iframe sources, but we currently don't handle custom defined ports.

I've now fixed port handling via 897bb338f956245e2c86bda6cd5c6a67711f9448, with testing to cover, which will be part of the next patch release so I'll therefore close this off.

Not sure why your custom ALLOWED_IFRAME_SOURCES additions did not work, since I could work around this on my dev instance via this method, but could be down to browser specifics or configuration changes not take place when expected.

If you still have issues after the next patch release feel free to still comment here for further investigation.