standardnotes
Cannot connect to self hosted server from the webapp
Describe the bug Logging into self-hosted domains doesn't work.
To Reproduce Steps to reproduce the behavior:
- Go to https://app.standardnotes.com/
- Click on Sign In
- Expand Advanced options
- Select Custom in the Sync Server section
- Enter any domain
- Fill in any username and password
- Click Sign in
Expected behavior I would expect that logging in would be successful. Log into my selfhosted fomain works fine from the mobile app but not from the webapp because of the security policy.
Screenshots
Desktop (please complete the following information):
- OS: any
- Browser chrome
- Version 124.0.6367.118
Smartphone (please complete the following information):
- Device: Pixel 7
- OS: 14
- Browser: not using the browser, using the app
- Version 3.194.6
Additional context Refused to connect to 'https://standardnotes.anotherdomain.com/v2/login-params' because it violates the following Content Security Policy directive: "connect-src api.standardnotes.com sync.standardnotes.org files.standardnotes.com ws://sockets.standardnotes.com raw.githubusercontent.com listed.to blob:".
The issue is that the initial app.standardnotes.com defines the Content-Security-Policy in the response headers which blocks all other domains. If I manually override the headers to include standardnotes.mydomain.com, the login is successful.
However overriding the response header is not a sustainable way to use the application.
One other issue I can see coming from this is with Subscription Sharing. It seems like you can't accept share invites through the Desktop or Mobile applications. Only through the web app, unless I'm wrong. So if you wanted to share your existing Professional subscription with a self-hosted account, you'd be unable to as you can't login to the web app.
