ONLYOFFICE Docs 9.3 released: enhanced PDF Editor and more signature options, multipage view for documents, Solver in sheets, GIF playback in presentation slideshow mode, AI-powered updates, and more
ONLYOFFICE Docs 9.3 released

Working with plugins when using CSP

Introduction

Content Security Policy (CSP) is a security standard intended to prevent threats such as Cross-Site Scripting (XSS) attacks. When CSP is enabled on your web server, it restricts content loading to approved sources only, blocking requests to any third-party domains that have not been explicitly allowed.

If you are using ONLYOFFICE Docs (Enterprise Edition or Developer Edition) integrated with your web solution and CSP is enabled, plugins that rely on third-party resources will be blocked from functioning correctly. To fix this, you need to add the domains used by those plugins to your CSP allowlist.

Adding trusted domains

CSP is configured via the Content-Security-Policy HTTP header. The header uses directives to specify allowed sources for different content types. The default-src directive acts as a fallback for any resource type that does not have its own directive. 'self' means that content can only be loaded from the current domain.

A typical header looks like this:

Header set Content-Security-Policy "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"

To allow a plugin to access its required external domain, add that domain to the default-src directive:

default-src 'self' *.trusted-domain.com

This allows requests to and loading of content from the specified domain and its subdomains. Repeat this for each plugin that requires external access.

The exact location of the HTTP header depends on your web server and integration setup. This article describes the general principle.
To identify which domains a plugin requires, open the browser developer tools, go to the Network tab, and run the plugin. Any blocked external requests will appear as failed, and the domain in those requests is what you need to add to your CSP allowlist.

Example: allowing the YouTube plugin

The youtube plugin loads video content from www.youtube.com. Without adding this domain to the CSP allowlist, the plugin will be blocked from loading videos.

To allow it, add *www.youtube.com to the default-src directive:

Header set Content-Security-Policy "default-src 'self' *www.youtube.com; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"

Apply the same approach for any other installed plugin that uses third-party resources, adding its required domain to the directive in the same way.

Article with the tag:
Browse all tags