[Bug]: Content-Security Policy blocks download of Knowledge files

[raisindetre]

What happened?

Trying to download files uploaded to a brain's knowledge resullts in a blocked:csp error in the browser preventing download. Disabling CSP in the browser enables the download to complete. The request URL is to http://host.docker.internal:54321 but the CSP directive does not include this domain. It includes http://localhost:54321 which also fails with CSP enabled but completes with it off.

Generation of the request is clearly ok, but the code writing the CSP directive needs to be more permissive.

Relevant log output

Browser console error:
511-fa8e22a6a59a624c.js:6 Refused to connect to 'http://host.docker.internal:54321/storage/v1/object/sign/quivr/30c94065-f86…jEwOTcsImV4cCI6MTcxMjY2NDY5N30.igEdT-WV9cnLmgqaZYzQrePQ00ATNneEk21HFuPN90o' because it violates the following Content Security Policy directive: "connect-src 'self' http://localhost:54321 http://localhost:5050 https://cms.quivr.app *.intercom.io *.intercomcdn.com https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals https://us.posthog.com".


supabase_storage_secondbrain log entry for request.

{
  "level": 30,
  "time": "2024-04-09T20:38:32.026Z",
  "pid": 1,
  "hostname": "866305bc8ffb",
  "reqId": "req-1ab",
  "tenantId": "stub",
  "project": "stub",
  "type": "request",
  "req": {
    "traceId": "req-1ab",
    "method": "POST",
    "url": "/object/sign/quivr/b7b803c1-3e23-4154-a651-a2fefcfd6e9b/Test_150823.txt",
    "headers": {
      "host": "supabase_storage_secondbrain:5000",
      "x_forwarded_proto": "http",
      "x_forwarded_host": "host.docker.internal",
      "x_forwarded_port": "8000",
      "x_real_ip": "192.168.65.1",
      "content_length": "39",
      "accept": "*/*",
      "user_agent": "supabase-py/storage3 v0.5.5",
      "content_type": "application/json"
    },
    "hostname": "supabase_storage_secondbrain:5000",
    "remoteAddress": "172.19.0.3",
    "remotePort": 53964
  },
  "res": {
    "statusCode": 200,
    "headers": {
      "content_type": "application/json; charset=utf-8",
      "content_length": "335"
    }
  },
  "responseTime": 45.55929200351238,
  "msg": "stub | POST | 200 | 172.19.0.3 | req-1ab | /object/sign/quivr/b7b803c1-3e23-4154-a651-a2fefcfd6e9b/Test_150823.txt | supabase-py/storage3 v0.5.5"
}

Twitter / LinkedIn details

No response

[dosubot]

Hey @raisindetre! Great to see you diving into another challenge. How's everything going on your end?

To resolve the blocked:csp error when downloading files, you need to include http://host.docker.internal:54321 in the connect-src directive of your Content-Security Policy (CSP). This adjustment allows connections to the domain, which is necessary for the download process.

Here's how to update your CSP in the next.config.js file:

const ContentSecurityPolicy = {
  "connect-src": [
    "'self'",
    // Other domains
    "http://host.docker.internal:54321", // Add this line
  ],
  // ... other directives ...
};

After adding this domain, the CSP will permit connections to http://host.docker.internal:54321, which should eliminate the download issue. Ensure you've located the CSP configuration correctly in your project's settings, typically found in the next.config.js file or a similar configuration file depending on your setup.

Let me know if this solution works for you or if further assistance is needed.

Sources

• frontend/next.config.js

About Dosu

This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.

Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.

If you want to continue the conversation, start your reply with @dosu-bot.

[raisindetre]

Yes - as a hack I got things working by changing SUPABASE_URL in .env to http://[HOST_LAN_IP]:54321and editingfrontend/next.config.js` as shown:

const ContentSecurityPolicy = {
....
 "connect-src": [
    "'self'",
    process.env.NEXT_PUBLIC_SUPABASE_URL,
    process.env.NEXT_PUBLIC_BACKEND_URL,
    process.env.NEXT_PUBLIC_CMS_URL,
    "*.intercom.io",
    "*.intercomcdn.com",
    "https://api.june.so",
    "https://api.openai.com",
    "https://cdn.growthbook.io",
    "https://vitals.vercel-insights.com/v1/vitals",
    "https://us.posthog.com",

Add "http://[HOST_LAN_IP]:*", to the end of this list then:

$ docker-compose stop frontend
$ docker-compose remove frontend
$ docker image prune -a
$ docker-compose build frontend
$ docker-compose up frontend

Log out, and back into Quivr UI. If getting UI error notifications and no content displayed. Stop and restart the whole quivr container in Docker.

Other values for SUPABASE_URL might work but I got SEGFAULT errors from Yarn when trying to add http://host.docker.internal:54321 to the array and the original problem remained if I set it to http://localhost:54321 and relied on the defailt CSP directive which looks like:

"connect-src 'self' http://localhost:54321 http://localhost:5050 https://cms.quivr.app *.intercom.io *.intercomcdn.com https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals https://us.posthog.com"

So setting SUPABASE_URL to http://localhost:54321 should work but it doesn't... ¯_(ツ)_/¯