drawio icon indicating copy to clipboard operation
drawio copied to clipboard
verified publisher icon jgraph

OneDrive opening of diagram fails for sharepoint.de due to CSP

Open phw opened this issue 1 year ago • 0 comments

Preflight Checklist

  • [x] I agree to follow the Code of Conduct that this project adheres to.
  • [x] I have searched the issue tracker for a feature request that matches the one I want to file, without success.

You must agree to search and the code of conduct. You must fill in this entire template. If you delete part/all or miss parts out your issue will be closed.

If you are technical, you should reporting bugs along the lines of https://marker.io/blog/how-to-write-bug-report. If you are not technical, we will make allowances, please try to make an effort to understand the process.

Describe the bug

Opening existing drawings from connected company OneDrive fails. Creating a new drawing and saving it in OneDrive works, but opening it again then fails.

The reason for failing seems to be the CSP and the fact that for my company account it attempts to connect to a subdomain of sharepoint.de. The existing CSP allows only https://*.sharepoint.com, not .de.

Error message in the browser console (cleaned):

Content-Security-Policy: Die Einstellungen der Seite haben das Laden einer Ressource (connect-src) auf https://somecompanyname-my.sharepoint.de/personal/p_wolfer_somecompanyname_de/_layouts/15/download.aspx?*** blockiert, da sie gegen folgende Direktive verstößt: "connect-src https://*.dropboxapi.com https://api.trello.com 'self' https://*.draw.io https://*.diagrams.net https://*.googleapis.com wss://app.diagrams.net wss://*.pusher.com https://*.pusher.com https://api.github.com https://raw.githubusercontent.com https://gitlab.com https://graph.microsoft.com https://my.microsoftpersonalcontent.com https://*.sharepoint.com https://*.1drv.com https://api.onedrive.com https://dl.dropboxusercontent.com https://api.openai.com https://*.google.com https://fonts.gstatic.com https://fonts.googleapis.com"

To Reproduce

  1. Login with OneDrive account
  2. Select a previously saved drawio file
  3. No preview is shown, the browser console shows a CSP error and opening will fail with "invalid selection"

Expected behavior Access to the file works.

Screenshots grafik

draw.io version (In the Help->About menu of the draw.io editor):

  • draw.io version 24.7.6

Desktop (please complete the following information):

  • OS: Linux Ubuntu 24.04
  • Browser Firefox
  • Browser Version 128

Smartphone (please complete the following information): n/a

I tested the problem in incognito/private mode with all browser extensions switched off, write "yes" below:

  • yes

Additional context n/a

phw avatar Aug 08 '24 15:08 phw