Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Content Security Policy connect-src #15233

Open
cgtms opened this issue Dec 23, 2024 · 2 comments
Open

Content Security Policy connect-src #15233

cgtms opened this issue Dec 23, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@cgtms
Copy link

cgtms commented Dec 23, 2024

Describe the feature request
The application currently operates behind a proxy, and modifying its source code is not straightforward. Previously, it was possible to append a new domain (e.g., https://*.example.com) to the connect-src directive in the Content Security Policy (CSP) by adjusting the Nginx proxy configuration. This approach worked well for environments where middleware-enforced CSP required flexibility.

Problem
After the recent code changes introduced in PR #15003, this method is no longer viable. Updating the CSP to allow additional domains now requires more invasive or complex changes.

Feature Request
It would be incredibly helpful to have an easier way to append new domains to the connect-src directive of the CSP. Specifically, making this configurable or offering a mechanism to extend the domain list programmatically without modifying the source code directly. The relevant file appears to be contentSecurityPolicy.ts.

Question
Is there a potential workaround or an easy fix to enable this kind of flexibility in the current implementation? If not, could this be considered as an enhancement for future releases?

Thank you for considering this request. Please let me know if additional information or clarification is needed!

@cgtms cgtms added the enhancement New feature or request label Dec 23, 2024
Copy link

linear bot commented Dec 23, 2024

@poirazis
Copy link
Contributor

I would also like to add to the request that in self hosted instances, the domain running the instance would be automatically included to be able to reference other local resources from the client, like an mqtt broker and the likes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants