- Home
- Docs
- Installation and configuration
- Enterprise
- Docker version
- Working with plugins when using CSP
Working with plugins when using CSP
Introduction
Content Security Policy (CSP) is a security standard intended to prevent some threats, such as Cross-Site Scripting (XSS) attacks etc. When CSP is enabled, it allows loading the contents from the approved sources only. Particularly, it prohibits requests to third-party domains which have not been explicitly allowed.
If you are using ONLYOFFICE Docs (Enterprise Edition or Developer Edition) integrated with your web solution, and if CSP is enabled on your web server to improve safety and security measures, the CSP default settings may cause some issues. ONLYOFFICE Online Editors include a number of plugins, some of which use third-party resources and make requests to third-party domains, e.g. the YouTube plugin. As CSP prohibits requests to third-party domains, this prevents plugins from proper working, e.g. block loading YouTube video.
Adding third-party domains to the list of allowed sources
For plugins to work correctly, you need to allow requests to certain domains (the full list of domains is available below). This can be done by changing the HTTP header which enables CSP. Depending on the solution that you use, this header can be located in different files. This instruction describes the basic principles, not the individual cases. The header should look like this:
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"This string contains directives which specify the allowed sources for different types of content: scripts, stylesheets, fonts, images, HTML5 <audio> or <video> elements, etc.
The default-src directive is applied when a directive for a certain resource type is not specified.
‘self’ means that the contents can be loaded from the current domain only.
It’s necessary to edit the default-src directive adding the trusted domains values:
default-src 'self' *.trusted1.com *.trusted2.comThis will allow making requests to and load contents from the specified trusted domains *.trusted1.com and *.trusted2.com including their subdomains.
Third-party domain list
The following plugins make requests to third-party domains:
| Plugin | Domain |
|---|---|
clipart | https://openclipart.org |
speech | https://code.responsivevoice.org |
youtube | https://www.youtube.com |
thesaurus | https://words.bighugelabs.com |
translate | https://translate.yandex.net |
ocr | https://cdn.rawgit.com |
The following plugins from the listed above are included into ONLYOFFICE Online Editors by default: ocr, speech, thesaurus, translate, youtube.
The clipart plugin is not included into online editors, but it is available on https://github.com/ONLYOFFICE/sdkjs-plugins, and you can add it to editors manually.
To add all the mentioned domains into the list of allowed sources, the HTTP header should look like this:
Header set Content-Security-Policy "default-src 'self' *openclipart.org *code.responsivevoice.org *www.youtube.com *words.bighugelabs.com *translate.yandex.net *cdn.rawgit.com; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"wordpress and easybib plugins, you’ll also need to specify the *wordpress.com and *easybib.com domains.