hero_office_ui forces upgrade-insecure-requests CSP, breaking HTTP-only OnlyOffice setups #9

New issue

Closed

opened 2026-04-26 13:38:39 +00:00 by zaelgohary · 1 comment

zaelgohary commented

2026-04-26 13:38:39 +00:00

Member

Symptom

Loading the editor wrapper against an http:// OnlyOffice instance fails:

Browser tries an SSL handshake against the HTTP-only docserver
Editor never loads; console shows DocsAPI is not defined

Cause

crates/hero_office_ui/src/handlers.rs emitted the upgrade-insecure-requests CSP unconditionally — both as a <meta> tag and as a response header. Browsers honored it and rewrote every http:// OnlyOffice URL to https:// before fetching, even when OO_SERVER_URL was explicitly HTTP.

Repro

Run hero_office_ui with OO_SERVER_URL=http://<host>:8088
Open http://<host>:9988/hero_office/ui/word/edit/<file>.docx
Editor fails to render; network tab shows TLS errors against port 8088

Expected

CSP should only emit when OO_SERVER_URL is HTTPS — HTTP-only dev setups need to keep talking HTTP.

## Symptom Loading the editor wrapper against an `http://` OnlyOffice instance fails: - Browser tries an SSL handshake against the HTTP-only docserver - Editor never loads; console shows `DocsAPI is not defined` ## Cause `crates/hero_office_ui/src/handlers.rs` emitted the `upgrade-insecure-requests` CSP unconditionally — both as a `<meta>` tag and as a response header. Browsers honored it and rewrote every `http://` OnlyOffice URL to `https://` before fetching, even when `OO_SERVER_URL` was explicitly HTTP. ## Repro - Run `hero_office_ui` with `OO_SERVER_URL=http://<host>:8088` - Open `http://<host>:9988/hero_office/ui/word/edit/<file>.docx` - Editor fails to render; network tab shows TLS errors against port 8088 ## Expected CSP should only emit when `OO_SERVER_URL` is HTTPS — HTTP-only dev setups need to keep talking HTTP.