Open apixandru opened 5 months ago
One other issue I can see coming from this is with Subscription Sharing. It seems like you can't accept share invites through the Desktop or Mobile applications. Only through the web app, unless I'm wrong. So if you wanted to share your existing Professional subscription with a self-hosted account, you'd be unable to as you can't login to the web app.
Describe the bug Logging into self-hosted domains doesn't work.
To Reproduce Steps to reproduce the behavior:
Expected behavior I would expect that logging in would be successful. Log into my selfhosted fomain works fine from the mobile app but not from the webapp because of the security policy.
Screenshots
Desktop (please complete the following information):
Smartphone (please complete the following information):
Additional context Refused to connect to 'https://standardnotes.anotherdomain.com/v2/login-params' because it violates the following Content Security Policy directive: "connect-src api.standardnotes.com sync.standardnotes.org files.standardnotes.com ws://sockets.standardnotes.com raw.githubusercontent.com listed.to blob:".
The issue is that the initial app.standardnotes.com defines the Content-Security-Policy in the response headers which blocks all other domains. If I manually override the headers to include standardnotes.mydomain.com, the login is successful.
However overriding the response header is not a sustainable way to use the application.