search

otetard / ownpad

Ownpad is a Nextcloud application that allows to create and open Etherpad and Ethercalc documents.
GNU Affero General Public License v3.0
57 stars 24 forks source link

CSP issues ownpad + nextcloud + etherpad-lite #64

Closed Webrow closed 10 months ago

Webrow commented 6 years ago

Setup a Rpi with nextcloud. Installed etherpad-lite on the raspberry, Setup the server, Installed ownpad, Assosciation of the files in nextcloud are fine, but when opening a pad / calc I see nothing in the frame. Console prints out a CSP error, http://puu.sh/AN6u4/1535504ccd.png Nextcloud 13.0.2 is used.

Jaxom99 commented 5 years ago

Same here, on a debian VM. The link to the pad is shown when pointing on the title bar, so the pad is still available.

Webrow commented 5 years ago

Im here to provide some additional info since Jaxom99 pinged me yesterday. It still is a CSP error but I fixed it eventually. I used nginx to rewrite the headers. Eventually I setup a host on the domain itself (etherpad.domain.tld / ethercalc.domain.tld) Since the domain is whitelisted by default this solved my issue. The error in the console is misleading it prints the current domain since it is loaded in a frame. The issue originates in that the host for etherpad/ethercalc is NOT whitelisted, but due to the url-rewrite it looks like you are loading an internal source which fails. (the failure comes from https://beta.etherpad.org/thisisyourpad for example) I hope this might help you out @Jaxom99

Jaxom99 commented 5 years ago

Okay, thanks for the details 👍 I will try to implement that in my case, and report back here.

futatuki commented 5 years ago

I also got same problem. In my case, I configured dedicated etherpad-lite host on the same hostname as nextcloud host, with diffrent path by using reverse proxy (like https://service.example.org/nextcloud for nextcloud and https://service.example.org/etherpad for etherpad-lite). I set Etherpad Host to "https://service.example.org/etherpad" and frame-src content had blocked by content security policy.

I don't know how ContentSecurityPolicy::addAllowedFrameDomain() works, but it seems that it doesn't accept full URL with path spec for its argument. With patch below, I could solve my problem.

--- lib/Controller/DisplayController.php.orig   2019-05-26 01:59:40.000000000 +0900
+++ lib/Controller/DisplayController.php        2019-05-29 11:17:02.202546000 +0900
@@ -175,7 +175,12 @@ class DisplayController extends Controller {
         $policy = new ContentSecurityPolicy();

         if($this->config->getAppValue('ownpad', 'ownpad_etherpad_enable', 'no') !== 'no') {
-            $policy->addAllowedFrameDomain($this->config->getAppValue('ownpad', 'ownpad_etherpad_host', ''));
+            # dirty hack for our host
+            $eplHost = $this->config->getAppValue('ownpad', 'ownpad_etherpad_host', '');
+            if (preg_match("#^(?<host>(https?://)?[A-Za-z0-9.-]+)(:[0-9]+)?((/|%2[Ff]).*)?$#", $eplHost, $match)) {
+              $eplHost = $match['host'];
+            }
+            $policy->addAllowedFrameDomain($eplHost);
             $policy->addAllowedChildSrcDomain($this->config->getAppValue('ownpad', 'ownpad_etherpad_host', ''));
         }

I also think more deeper path for Etherpad Host can cause another problem, but it may be another issue.

futatuki commented 5 years ago

I also think more deeper path for Etherpad Host can cause another problem, but it may be another issue.

This was my confusion. Please ignore this part.

otetard commented 10 months ago

I’m closing this issue since this is a very old one. Please open a new issue if you still encounter this issue with the latest version of Ownpad!