search

openanalytics / shinyproxy

ShinyProxy - Open Source Enterprise Deployment for Shiny and data science apps
https://www.shinyproxy.io
Apache License 2.0
525 stars 151 forks source link

Self-hosted shinyproxy (3.0.2) behind a nginx fails to start R-Shiny applications in Chromium based browsers (e.g. Chrome > v81) #476

Closed IvoLeist closed 7 months ago

IvoLeist commented 9 months ago

Dear Shinyproxy developers.

First of all, thank you for providing that nifty tool for orchestrating R-Shiny applications :)

We plan to use it at Centro nacional de análisis genómico for making our R-Shiny applications publicly visible.

After a lot of back and forth tweaking the nginx config we have it now finally working on our production server for the following browsers:

However, unfortunately starting an application fails for all chromium based browsers. Meaning the screen turns white and the developer console shows the following error:

Uncaught ReferenceError: $ is not defined developer_console_shinyproxy

Note that it does not matter which application is started. The same error arises when trying to launch your demo application.

Used Shinyproxy image: openanalytics/shinyproxy:3.0.2

What we figured out so far when trying to find the root cause:

At first we thought maybe jquery is not loaded correctly in chromium based browsers but webjars/jquery/3.6.1/jquery.min.js shows a 200

Then we played with the security setting of the browser and realized that with the following extension https://chromewebstore.google.com/detail/always-disable-content-se/ffelghdomoehpceihalcnbmnodohkibj enabled the chromium based browsers are working as expected.

Obviously, we: a) do not want to limit our potential users to only use Firefox/Safari, b) cannot ask our users to install that CSP addon c) cannot disable CSP on the nginx level due to security reasons

So this issue not only goes out to the developers but all the others who are currently self-hosting a public facing Shinyproxy instance (behind an nginx) to understand if we are only ones affected by some recent Chromium update* ? :thinking:

*have not tested old versions of Chromium based browsers yet. I will update this issue accordingly :v:

In my opinion it is highly unlikely that this issue is restricted only to us. However, double checking the issues here and also in your support forum. I have not found anyone else yet reporting that(?)

Let me know if this issue fits on here or if I rather move cross post(?) it on https://support.openanalytics.eu.

Kind regards, Ivo

IvoLeist commented 9 months ago

Update: I finally found some time to play around with multiple different Chrome versions.

OS: Ubuntu 22.04.3 LTS x86_64 Source of the old Chrome versions: https://www.slimjet.com/chrome/google-chrome-old-version.php Last working version: 81.0.4044.92 (Official Build) (64-bit) Release date of v81: 2022-05-30 Command to run the old versions:/usr/bin/google-chrome-stable --user-data-dir=/tmp/chrome_new_profile --no-sandbox

=> All (slimjet) Chrome versions above v81 are running into the error described above.

IvoLeist commented 8 months ago

FYI: I just cross posted that issue here: https://support.openanalytics.eu/t/self-hosted-shinyproxy-3-0-2-behind-a-nginx-fails-to-start-r-shiny-applications-in-chromium-based-browsers-e-g-chrome-v81/2735

Let me know where it would fit better?

LEDfan commented 8 months ago

Hi @IvoLeist

This issue is being caused by your CSP header. I understand that you don't want to completely remove this header, but at the other hand it's expected that if you add a very strict CSP header, ShinyProxy will break. In addition, depending o nwhat kind of applications you are hosting, these applications might also break.

For the short term you could consider removing the require-trusted-types-for 'script'; from your CSP policy. On the long term we might consider adding to add a CSP policy to ShinyProxy, but this will by quite difficult since we need to take all kinds of applications into account.

IvoLeist commented 7 months ago

Hi @LEDfan

Thank you for your guidance.

I can confirm that removing require-trusted-types-for 'script'; in the nginx config resolved indeed ShinyProxy's troubles to start R-Shiny applications in Chromium based browsers ( > v 81).

Good to hear that you are open to add a CSP policy to ShinyProxy :rocket:

Good luck with that :v:

LEDfan commented 7 months ago

Hi @IvoLeist great to hear you solved your issue. I'll close this issue for now, but we will keep track of the feature request for including a CSP in ShinyProxy.