search

YunoHost-Apps / cryptpad_ynh

CryptPad package for YunoHost
https://cryptpad.fr
GNU General Public License v3.0
27 stars 21 forks source link

From standard stable install : checkup failed with 19 / 25 tests passed #135

Open guizmoau opened 2 years ago

guizmoau commented 2 years ago

Describe the bug

In a fresh standard yunohost VPS server, install cryptpad app. A warning during install mention that instance is not secure and not ready for production since checkup has not passed succesfully. Go on page https://mycryptpaddomain.com/checkup

result is 19 / 25 tests passed

failed test 4 It appears that you are trying to load this page via an origin other than its main domain (https://myyunohostmaindomain.com). See the httpUnsafeOrigin option in cryptpad/config/config.js which is exposed via /api/config.

failed test 15 support ticket functionnality not enabled

failed test 16 web admin not setup

failed test 5 The main domain (configured via httpUnsafeOrigin as https://mycryptpaddomain.com in cryptpad/config/config.js and exposed via /api/config) could not be reached.

failed test 18 /common/onlyoffice/v4/web-apps/apps/spreadsheeteditor/main/index.html does not have the required 'content-security-policy' headers set. This is most often related to incorrectly configured sandbox domains or reverse proxies.

failed test 17 /sheet/inner.html does not have the required 'content-security-policy' headers set. This is most often related to incorrectly configured sandbox domains or reverse proxies.

Context

Steps to reproduce

Deploy cryptpad application and go on checkup page

Expected behavior

All checks shall be valid and if some necessary configuration as to be made by admin (test 15 & 16) notify clearly admin about it

ericgaspar commented 2 years ago

Our NGINX config is minimal and we don't have any sandboxing domain set. This branch tries to address that: https://github.com/YunoHost-Apps/cryptpad_ynh/tree/5.0.0 But I believe there is still some work to do... 😅

guizmoau commented 2 years ago

@ericgaspar Shall we warn users of this app somewhere/somehow that this application in that state (without sandbox domain) is insecure ? In the meantime that sandbox domain got implemented, hopefully soon.

Or we assume that they are all aware enough to understand that by themself...

ericgaspar commented 2 years ago

I will not say that Cryptpad without sandbox is not safe: it's less bulletproof. I suggest waiting for the PR including sandboxing to pass.