CSP issue when try to download file

mtubul · April 21, 2024, 10:37am

Describe the problem/error/question

I try to build a workflow which convert data to a file, once i did that i found there is an option to download the file. once i click on it i got the CSP error described in the image attached. i know i can solve it by adding the data scheme but in a security manner it is not recommended. there is other way to control it and serve the file in other way?
The error as described in the browser:

Information on your n8n setup

**n8n version:1.33
**Database (default: SQLite):postgres
**n8n EXECUTIONS_PROCESS setting (default: own, main):own
**Running n8n via (Docker, npm, n8n cloud, desktop app):Docker
Operating system:

Jon · May 1, 2024, 2:24pm

Hey @mtubul,

I am not able to reproduce this, Can you share a workflow that reproduces the issue?

mtubul · May 1, 2024, 2:51pm

We serving it with reverse proxy and we have a static CSP header in our web application which serving the UI.

netroy · May 2, 2024, 9:22am

While CSP is important to us, and is on our roadmap, we unfortunately can’t provide much support for CSP until we first have some version of it in the app itself.

In this case, the object-src violation is being reported because the app uses <embed> tag to show any file type that’s not audio, video, json, or html.
This is done so because having a custom mechanism to download and render every file type is going to be a lot of work.

That said, adding support for viewing text files without an <embed> should not be much work. So, let us know if this is an issue for you. we can then try to address this sooner.

system · May 9, 2024, 9:23am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.