Checkup tests failing

[tituspijean]

Describe the bug

The installationdomain.tld/checkup page complains about several things.

Context

• Hardware: any
• YunoHost version: any (currently v4.2.6.1)
• I have access to my server: any means
• Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: no
• Using, or trying to install package version/branch: v4.8.0 and earlier

Steps to reproduce

Install the app and reach the checkup page.

Expected behavior

No or minimal complaints.

Logs

Let's make it a to-do list. Some tasks might be deemed unnecessary.

• httpUnsafeOrigin and httpSafeOrigin are equivalent. In order for CryptPad's security features to be as effective as intended they must be different. See cryptpad/config/config.js
• This instance's encrypted support ticket functionality has not been enabled. This can make it difficult for its users to safely report issues that concern sensitive information. This can be configured via the admin panel's Support tab.
• This instance has not been configured to support web administration. This can be enabled by adding a registered user's public signing key to the adminKeys array in cryptpad/config/config.js. (this one has to be done manually IIRC)
• Missing HTTP headers required for .xlsx export from sheets. A value of require-corp was expected for the cross-origin-embedder-policy HTTP header, but instead a value of "" was received.
• /api/config was served with duplicated or incorrect headers. Compare your reverse-proxy configuration against the provided example.
• The cross-origin-resource-policy header for /api/config is '' instead of 'cross-origin' as expected.
• The cross-origin-embedder-policy header for /api/config is '' instead of 'require-corp' as expected.
• Same as the three /api/config above, with /api/broadcast instead
• /some/page does not have the required 'content-security-policy' headers set

[ericgaspar]

This instance has not been configured to support web administration. This can be enabled by adding a registered user's public signing key to the adminKeys array in cryptpad/config/config.js.

This one can't be done automatically, it has to be done by the admin (a how-to is sent by mail)

[ericgaspar]

Here is my test output after setting admin key and enabling support tickets:

This instance is running CryptPad v4.8.0.

21 / 24 tests passed.

Details found below

httpUnsafeOrigin and httpSafeOrigin are equivalent. In order for CryptPad's security features to be as effective as intended they must be different. See cryptpad/config/config.js. Changes to cryptpad/config/config.js will require a server restart in order for /api/config to be updated.

Failed test number	2
Returned value	false

/sheet/inner.html does not have the required 'content-security-policy' headers set. This is most often related to incorrectly configured sandbox domains or reverse proxies.

Failed test number	17
Returned value	false

/common/onlyoffice/v4/web-apps/apps/spreadsheeteditor/main/index.html does not have the required 'content-security-policy' headers set. This is most often related to incorrectly configured sandbox domains or reverse proxies.

Failed test number	18
Returned value	false

[Ddataa]

we are getting there...soon to be fully complete

[Ddataa]

the test 26

This instance has not been configured to enable support for embedding assets and documents in third-party websites. In order for this setting to be effective while still permitting encrypted media to load locally the Access-Control-Allow-Origin should only match trusted domains. Under most circumstances it is sufficient to permit only the sandbox domain to load assets. Remote embedding can be enabled via the admin panel.

is contradicting as the access control allow origin is indeed set on sandbox domain...taken from @ansuz that it shall be solved in a future version