Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Internally Hosted Draw.IO is not usable, "This content is blocked. Contact the site owner to fix the issue." #5107

Closed
thickconfusion opened this issue Jul 8, 2024 · 3 comments
Closed

Internally Hosted Draw.IO is not usable, "This content is blocked. Contact the site owner to fix the issue." #5107

thickconfusion opened this issue Jul 8, 2024 · 3 comments
Labels
🐛 Bug 🔍 Testing required
Milestone
BookStack v24.05.3

Comments

@thickconfusion
Copy link

Describe the Bug

Similar to #2285 , I am getting a gray page in Chrome that says "This content is blocked. Contact the site owner to fix the issue."

I have the following environment variables set for the container:
DRAWIO=http://172.31.1.167:8080/?embed=1&proto=json&spin=1&configure=1&stealth=1
I have also attempted to modify this environment variable:
ALLOWED_IFRAME_SOURCES=

I've tried:

The only one that "works" is if I make it ALLOWED_IFRAME_SOURCES="*", which seems like a security vulnerability even if I'm running this on a LAN.

Note: I can access the plain old Draw.IO interface just fine: http://172.31.1.167:8080, and it loads.

Steps to Reproduce

Edit a page, click the icon to work on a Draw.io image.

Expected Behaviour

I expect to load into a Draw.IO instance.

Screenshots or Additional Context

No response

Browser Details

Chrome and Edge on Windows 11

Exact BookStack Version

v24.05.2
@ssddanbrown ssddanbrown added this to the BookStack v24.05.3 milestone Jul 9, 2024
@ssddanbrown
Copy link
Member

Hi @thickconfusion,

You shouldn't need to adjust the iframe sources since BookStack will look to automatically add any custom drawio URL, where set, to the CSP rules. Maybe our custom handling is tripping up any additional rules you're adding.

It does look though like we are not currently handling scenarios where non-protocol-standard ports are used.
I've marked this to be tested for next patch, against a custom-ported drawio instance.

Dev reference

BookStack/app/Util/CspService.php

Line 144 in 78ebcb6

$drawioHost = $drawioSourceParsed['scheme'] . '://' . $drawioSourceParsed['host'];

@thickconfusion
Copy link
Author

I commented out my ALLOWED_IFRAME_SOURCES line entirely, with my DRAWIO=http://172.31.1.167:8080/?embed=1&proto=json&spin=1&configure=1&stealth=1. I cleared browser cache, and I still have the problem. I again verified that I can launch http://172.31.1.167:8080 and Draw.IO loads just fine.

ssddanbrown added a commit that referenced this issue Jul 14, 2024
@ssddanbrown
CSP: Updated handling of drawio URL to consider port
897bb33 
Previously if a custom port was used in the DRAWIO option it would not
be considered in the CSP handling, which would block loading.

Added test to cover.
For #5107
@ssddanbrown
Copy link
Member

Sure, I was just saying that we attempt to handle this so you shouldn't have to set the iframe sources, but we currently don't handle custom defined ports.

I've now fixed port handling via 897bb33, with testing to cover, which will be part of the next patch release so I'll therefore close this off.

Not sure why your custom ALLOWED_IFRAME_SOURCES additions did not work, since I could work around this on my dev instance via this method, but could be down to browser specifics or configuration changes not take place when expected.

If you still have issues after the next patch release feel free to still comment here for further investigation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐛 Bug 🔍 Testing required
Milestone
BookStack v24.05.3
Development

No branches or pull requests
2 participants
@ssddanbrown @thickconfusion