standardnotes / forum

Support from other community members. For 1-on-1 help, please contact help@standardnotes.com.
https://forum.standardnotes.org
201 stars 8 forks source link

Cannot connect to self hosted server from the webapp #3596

Open apixandru opened 6 months ago

apixandru commented 6 months ago

Describe the bug Logging into self-hosted domains doesn't work.

To Reproduce Steps to reproduce the behavior:

  1. Go to https://app.standardnotes.com/
  2. Click on Sign In
  3. Expand Advanced options
  4. Select Custom in the Sync Server section
  5. Enter any domain
  6. Fill in any username and password
  7. Click Sign in

Expected behavior I would expect that logging in would be successful. Log into my selfhosted fomain works fine from the mobile app but not from the webapp because of the security policy.

Screenshots error headers

Desktop (please complete the following information):

Smartphone (please complete the following information):

Additional context Refused to connect to 'https://standardnotes.anotherdomain.com/v2/login-params' because it violates the following Content Security Policy directive: "connect-src api.standardnotes.com sync.standardnotes.org files.standardnotes.com ws://sockets.standardnotes.com raw.githubusercontent.com listed.to blob:".

The issue is that the initial app.standardnotes.com defines the Content-Security-Policy in the response headers which blocks all other domains. If I manually override the headers to include standardnotes.mydomain.com, the login is successful.

However overriding the response header is not a sustainable way to use the application.

thedepartedwhiplash commented 6 months ago

One other issue I can see coming from this is with Subscription Sharing. It seems like you can't accept share invites through the Desktop or Mobile applications. Only through the web app, unless I'm wrong. So if you wanted to share your existing Professional subscription with a self-hosted account, you'd be unable to as you can't login to the web app.