Auth using oidc not possible anmyore

[raffis]

Describe the bug

Content Security Policy: The page’s settings blocked the loading of a resource at https://xxx/.well-known/openid-configuration (“default-src”).

To Reproduce

Install v3.2.14 with a configured oidc provider.

Expected behaviour

No such csp error.

Environment

• web-client version: v3.2.14

Additional context

Note this is a follow up issue from #292

[raffis]

There wont be a solution before balloon nextgen.

If you have a custom oidc provider:

As a workaround either downgrade to 3.2.13 or for more security keep using >= v3.2.14 and add a custom nginx config which must be mapped to /etc/nginx/conf.d/default.conf for balloon-web instances.

add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data:; connect-src 'self' 'https://customoidcprovider'; ";

server {
  location / {
      root /usr/share/balloon-web;
      index index.html;
      break;
  }
}

[raffis]

Note that an additional wopi client besides loolwsd if configured also needs to be added manually.

The web client v4 will most likely be served by node so that we are able to customize such headers as this is not possible with static content serving mechanism like nginx.