search

jgraph / docker-drawio

Dockerized draw.io based on whichever is the most secure image at the time.
GNU General Public License v3.0
1.48k stars 359 forks source link

Onedrive support broken, Content Security Policy issue? #108

Closed Kofl closed 1 year ago

Kofl commented 1 year ago

Hi,

running the latest docker version with Lets Encryption and OneDrive integratoin. On the "Save diagrams to:" screen, the OneDrive icons load endless.

Web browser error console says:

app.min.js:287 

   Refused to connect to 'https://www.draw.io/notifications' because it violates the following Content Security Policy directive: "connect-src 'self' https://*.dropboxapi.com https://api.trello.com https://api.github.com https://raw.githubusercontent.com https://*.googleapis.com https://*.googleusercontent.com https://graph.microsoft.com https://*.1drv.com https://*.sharepoint.com https://gitlab.com https://*.google.com https://fonts.gstatic.com https://fonts.googleapis.com".

mxXmlRequest.send @ app.min.js:287 (index):189 

   Refused to load the script 'http://localhost:8080/js/onedrive/OneDrive.js' because it violates the following Content Security Policy directive: "script-src 'self' https://storage.googleapis.com https://apis.google.com https://docs.google.com https://code.jquery.com 'unsafe-inline'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

docker run -it -m1g -v "/opt/docker/drawiodata/letsencrypt-log:/var/log/letsencrypt/" -v "/opt/docker/drawiodata/letsencrypt-etc:/etc/letsencrypt/" -v "/opt/docker/drawiodata/letsencrypt-lib:/var/lib/letsencrypt" -e LETS_ENCRYPT_ENABLED=true -e PUBLIC_DNS=d.domain.com -e DRAWIO_MSGRAPH_CLIENT_ID=xy -e DRAWIO_MSGRAPH_CLIENT_SECRET=xy -e DRAWIO_MSGRAPH_TENANT_ID=xy --rm --name="drawio" -p 80:80 -p 443:8443 jgraph/drawio

m-mohamedin commented 1 year ago

The OneDrive.js is loaded from localhost:8080 and not the URL of your setup. You need to set DRAWIO_BASE_URL to your URL.

You can also set DRAWIO_CSP_HEADER if needed. The default is default-src \'self\'; script-src \'self\' https://storage.googleapis.com https://apis.google.com https://docs.google.com https://code.jquery.com \'unsafe-inline\'; connect-src \'self\' https://*.dropboxapi.com https://api.trello.com https://api.github.com https://raw.githubusercontent.com https://*.googleapis.com https://*.googleusercontent.com https://graph.microsoft.com https://*.1drv.com https://*.sharepoint.com https://gitlab.com https://*.google.com https://fonts.gstatic.com https://fonts.googleapis.com; img-src * data:; media-src * data:; font-src * about:; style-src \'self\' \'unsafe-inline\' https://fonts.googleapis.com; frame-src \'self\' https://*.google.com;

Add localhost to script-src. Something like

default-src \'self\'; script-src \'self\' http://localhost:8080 https://storage.googleapis.com https://apis.google.com https://docs.google.com https://code.jquery.com \'unsafe-inline\'; connect-src \'self\' https://*.dropboxapi.com https://api.trello.com https://api.github.com https://raw.githubusercontent.com https://*.googleapis.com https://*.googleusercontent.com https://graph.microsoft.com https://*.1drv.com https://*.sharepoint.com https://gitlab.com https://*.google.com https://fonts.gstatic.com https://fonts.googleapis.com; img-src * data:; media-src * data:; font-src * about:; style-src \'self\' \'unsafe-inline\' https://fonts.googleapis.com; frame-src \'self\' https://*.google.com;

But setting DRAWIO_BASE_URL should fix the issue

Kofl commented 1 year ago

Awesome, thanks a lot, that solved it.