lhumina_code/hero_office
0
0
Fork 0
Code Issues 5 Pull requests Projects Releases 2 Packages Wiki Activity Actions

fix(office_ui): emit upgrade-insecure-requests CSP only when OO_SERVER_URL is https #8

Merged
zaelgohary merged 1 commit from development_fix_csp_only_when_https into development 2026-04-26 13:31:06 +00:00
Conversation 1 Commits 1 Files changed 1 +18 -9
zaelgohary commented 2026-04-26 13:19:06 +00:00
Member
Copy link

Summary

Editor wrapper unconditionally set the upgrade-insecure-requests CSP (meta tag + response header). Browsers then forced http:// OnlyOffice URLs to https://, breaking HTTP-only dev setups with SSL handshake errors and DocsAPI is not defined.

Related Issue

None.

Changes

  • crates/hero_office_ui/src/handlers.rs: skip CSP when OO_SERVER_URL starts with http://

Test Results

cargo build --release --bin hero_office_ui passes.

Manual verification

  • Headless chrome against http://[..mycelium..]:9988/hero_office/ui/word/edit/test.docx?context=geomind with OO_SERVER_URL=http://[..mycelium..]:8088: OnlyOffice editor renders fully (toolbar + page) instead of failing on SSL handshake.
  • Wrapper HTML and response headers no longer contain the CSP when OO is HTTP; they still emit when OO is HTTPS.
## Summary Editor wrapper unconditionally set the `upgrade-insecure-requests` CSP (meta tag + response header). Browsers then forced `http://` OnlyOffice URLs to `https://`, breaking HTTP-only dev setups with SSL handshake errors and `DocsAPI is not defined`. ## Related Issue None. ## Changes - `crates/hero_office_ui/src/handlers.rs`: skip CSP when `OO_SERVER_URL` starts with `http://` ## Test Results `cargo build --release --bin hero_office_ui` passes. ## Manual verification - Headless chrome against `http://[..mycelium..]:9988/hero_office/ui/word/edit/test.docx?context=geomind` with `OO_SERVER_URL=http://[..mycelium..]:8088`: OnlyOffice editor renders fully (toolbar + page) instead of failing on SSL handshake. - Wrapper HTML and response headers no longer contain the CSP when OO is HTTP; they still emit when OO is HTTPS. 
Editor wrapper unconditionally set the CSP `upgrade-insecure-requests`
on both the meta tag and the response header. Browsers then forced
`http://` OnlyOffice URLs to `https://`, breaking HTTP-only dev setups
with SSL handshake errors and `DocsAPI is not defined`. Skip the CSP
when `OO_SERVER_URL` itself starts with `http://`.
zaelgohary merged commit 81227b29f6 into development 2026-04-26 13:31:06 +00:00
zaelgohary deleted branch development_fix_csp_only_when_https 2026-04-26 13:31:06 +00:00
zaelgohary commented 2026-04-26 13:38:39 +00:00
Author
Member
Copy link

Filed bug report: #9

Filed bug report: #9
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
prio_critical

   
prio_low

   
type_bug

   
type_contact

   
type_issue

   
type_lead

   
type_question

   
type_story

   
type_task
No labels
prio_critical
prio_low
type_bug
type_contact
type_issue
type_lead
type_question
type_story
type_task
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/hero_office!8
No description provided.