1

How are we to have plugins that aren't hosted on the same domains as Banno actually load as widgets? Every time that I try something that isn't localhost it gives me a CSP error. And even when I, as the documentation says, simply include another redirect URI that is at the domain (https://jackhenry.dev/open-api-docs/plugins/architecture/restrictions/) it still doesn't work. And even then some localhost URL's dont' work, for example a dotnet application serving at port 64311 is blocked by the CSP, but a Node app that I serve at port 3000 is not blocked.

Oliver Hader
  • 4,093
  • 1
  • 25
  • 47
charlesread
  • 103
  • 2
  • 10
  • Please share the CSP error message. – Oliver Hader Aug 14 '23 at 19:23
  • Thanks, Oliver. It is below (just a URL I was using to test the thing); ```Content-Security-Policy: The page’s settings blocked the loading of a resource at https://auth2-dev.azurewebsites.net/.well-known/openid-configuration (“frame-src”).``` – charlesread Aug 14 '23 at 19:24
  • The super puzzling part of this to me is that I even see `https://auth2-dev.azurewebsites.net` listed in the `frame-src` attribute of the CSP. – charlesread Aug 14 '23 at 20:05
  • 1
    @OliverHader, found the problem, because of the way that JH creates the list of URLs in its CSP (literally aggregating together every client's URL into a big list) if somebody (not me) screws up and types in an invalid URL, like `http://localhost;8080` (not a typo) then it prematurely ends the attribute FOR EVERYBODY. I had to Tweet them because, ya know, no "real" support protocol. – charlesread Aug 14 '23 at 20:33
  • Hmm, sounds like we may have to fix that particular CSP entry. But otherwise, sounds like you got past that stumbling block. – Jaime Lopez Jr. Aug 14 '23 at 22:58
  • I only got past it by using a proxy to completely remove the CSP response header, it's still VERY busted. – charlesread Aug 15 '23 at 13:07
  • Just for clarity, some client DID use `http://localhost;8080` and the CSP is being truncated after the `;` (since it's the delimiter for CSP directives). – charlesread Aug 15 '23 at 13:16
  • @charlesread we've repaired the CSP so there is no longer an entry with a semicolon (`http://localhost;8080`). This should work be working again. – Jaime Lopez Jr. Aug 17 '23 at 23:38

0 Answers0