Unable to load custom external plugin (after applied CSP restrictions)

[cotwitch]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for a feature request that matches the one I want to file, without success.

Describe the bug
Unable to load external custom plugin from my own domain

To Reproduce
Steps to reproduce the behavior:

1. Open web app 'draw.io' ('app.diagrams.net' respectively)
2. Go to 'Extras' > 'Plugins..' > 'Add'
3. Fill plugin URL located in different location/domain than 'draw.io', 'app.diagrams.net', etc... > 'Apply'
4. Reload application
5. Confirm loading custom plugin
6. Open developer console and check for the error:

Refused to load the script '<script url you've entered>' because it violates the following Content Security Policy directive: "script-src 'self' https://storage.googleapis.com https://apis.google.com https://*.pusher.com https://code.jquery.com https://www.dropbox.com https://api.trello.com 'sha256-JqdgAC+ydIDMtmQclZEqgbw94J4IeABIfXAxwEJGDJs=' 'sha256-4Dg3/NrB8tLC7TUSCbrtUDWD/J6bSLka01GHn+qtNZ0='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Expected behavior
Load plugin from external URL/domain as it was possible in previous versions (before 13.1.5)

• Using current draw.io version: 13.1.14

Desktop:

• OS: macOS
• Browser: Chrome, Safari
• Version: 83.0.4103.61, 13.1

Additional context
I've noticed that in changelog (https://github.com/jgraph/drawio/blob/master/ChangeLog) is specified version 13.1.5 with change "Adds CSP restrictions" which is causing problem described above. But unfortunately, I was unable to find any information how I could overcome this limitation. So, question is simple - What could I do, to be able to load my custom plugin from external URL again? Any URL get parameters or similar? Should I store plugin, somehow, into https://storage.googleapis.com or https://apis.google.com ?

[sk000f]

Seeing the same issue when loading a plugin file hosted in GitHub.

Looks like the Content-Security-Policy header was added to https://github.com/jgraph/drawio/blob/master/src/main/webapp/WEB-INF/appengine-web.xml within release 13.1.7. Although in the latest src it's not there (but does get sent when using v13.2.4 online as far as I can see).

With the header set it looks like it should be possible to serve a plugin script from Dropbox because dropbox.com is listed within script-src in the Content-Security-Policy header, but if you use a dropbox.com URL then the file is served by Dropbox as text/html so it gets blocked due to a MIME type mismatch. If you use a https://dl.dropboxusercontent.com URL then you can load the file as JS, but then this URL isn't listed in script-src so it gets blocked by the Content-Security-Policy again.

Could also serve files from https://raw.githubusercontent.com, but that's only listed in the img-src part of the header, so you can only serve images and not JS scripts from that URL.

The one thing I'm not sure of is why I'm still seeing that header returned when using v13.2.4 when it looks to have been removed from the source before that. Maybe it's being set somewhere else.

Is it possible to update the Content-Security-Policy header to add https://dl.dropboxusercontent.com and/or https://raw.githubusercontent.com to the script-src part of the header?

[davidjgraph]

Arbitary JS injected into the app when we host it is becoming more and more of a security concern. We can't really allow those two domains, since anyone could host pretty much anything on them.

One workaround for now is to use a draw.io domain with a URL parameter, www doesn't have the CSP applied. But, even then, it will at some point.

Our CSP is likely to tighten even further, rather than become more loose, so I would assume the version we host isn't going to be able to use custom plugins in the long term.

Is hosting a custom draw.io or using the desktop version an option?

[sk000f]

Thanks for responding @davidjgraph - understood and makes complete sense.

I can use www for now. Desktop gives me a 'file already exists' message when I try and load the plugin file there but I'll look at that separately.

Thank you, appreciated 👍

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.