feat: add basic csp config

[dschmidt]

Description

This adds a basic csp config.

Related Issue

• Initial implementation for Support for CSP configuration #569

Motivation and Context

Enables loading oC Web.

This needs further work for enabling office suites, but that could maybe be tackled after/or while integrating the new collaboration service.

How Has This Been Tested?

• deployed it in a demo environment and oC Web didn't refuse to load anymore

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Technical debt
• Tests only (no source changes)

Checklist:

[wkloucek]

We should expose config options to be actually able to use integrations like eg. Drawio.

[dschmidt]

Do you insist on having it inside this PR?

I would suggest to iterate, as in the current state of the repo it's not possible to login at all and this PR at least makes it possible to run a very simple ocis without offices or drawio

[wkloucek]

Do you insist on having it inside this PR?

Yes, except you can explain which value your current PR provide over the default oCIS config.

[wkloucek]

I would suggest to iterate, as in the current state of the repo it's not possible to login at all and this PR at least makes it possible to run a very simple ocis without offices or drawio

this is already possible on main ( minus the office and drawio, but therefore we have the current PR in my opinion)

Once CSP is configurable, we can see how that blends into the collaboration service integration #567

[dschmidt]

Ah, I see - unsafe-eval is missing from the default config which causes errors in the console:

I had added it locally but removed it before pushing because I thought that shouldn't be something we actually set in the helm charts... I didn't realize this was the only reason I needed this change.

As I'm not so familiar with how you handle optional features here: if it takes you longer to tell me how to implement this, feel free to take this PR over

[dschmidt]

Meanwhile I would try to figure out if we can get rid of the unsafe-eval requirement in Web...

edit:
apparently caused by the Vue.js Devtools, so irrelevant here

[micbar]

In the ocis full deployment we were forced to add

• the idp url to connect-src to get token refresh still working
• the web office urls to frame-src and img-src
• uppy companion url and web socket to connect-src for the cloud importer

[wkloucek]

I tested it with following deployment examples:

• development-install
• external-user-management

Office will be added in #567

[d7oc]

Sure about the 4? I would say it should be 6

[wkloucek]

actually this should have kept unchanged, will revert it.

[d7oc]

Hmm but unchanged (so 4) also sounds wrong to me if I look at the indentation.

[wkloucek]

It was reverted in 8d67428

[d7oc]

Is that officially available know?

[wkloucek]

I just took it from the documentation for oCIS 6.1: https://owncloud.dev/services/web/configuration/

[d7oc]

Hmm. I not sure if this is the right place to look if something is considered stable.

@micbar Can I please have your vote here? TIA

[wkloucek]

Hmm. I not sure if this is the right place to look if something is considered stable.

what do you mean by "stable" ? I agree that owncloud.dev might change over time because it has no concept of oCIS versions, while doc.owncloud.com has. But for rolling releases like 6.1.0 there is no documentation on doc.owncloud.com from what I know.

In this particular case and because of the timing, owncloud.dev and the released code are in sync: https://github.com/owncloud/ocis/blob/v6.1.0/services/web/pkg/config/defaults/defaultconfig.go#L101

EDIT: because of the time constraint, I also did a screenshot of the documentation instead of linking to it