Internally Hosted Draw.IO is not usable, "This content is blocked. Contact the site owner to fix the issue." #4861

New Issue

OVERLORD · 2026-02-05T09:21:39+03:00

OVERLORD commented

2026-02-05 09:21:39 +03:00

Originally created by @thickconfusion on GitHub (Jul 8, 2024).

Describe the Bug

Similar to #2285 , I am getting a gray page in Chrome that says "This content is blocked. Contact the site owner to fix the issue."

I have the following environment variables set for the container:
DRAWIO=http://172.31.1.167:8080/?embed=1&proto=json&spin=1&configure=1&stealth=1
I have also attempted to modify this environment variable:
ALLOWED_IFRAME_SOURCES=

I've tried:

The only one that "works" is if I make it ALLOWED_IFRAME_SOURCES="*", which seems like a security vulnerability even if I'm running this on a LAN.

Note: I can access the plain old Draw.IO interface just fine: http://172.31.1.167:8080, and it loads.

Steps to Reproduce

Edit a page, click the icon to work on a Draw.io image.

Expected Behaviour

I expect to load into a Draw.IO instance.

Screenshots or Additional Context

No response

Browser Details

Chrome and Edge on Windows 11

Exact BookStack Version

v24.05.2

Originally created by @thickconfusion on GitHub (Jul 8, 2024). ### Describe the Bug Similar to #2285 , I am getting a gray page in Chrome that says "This content is blocked. Contact the site owner to fix the issue." I have the following environment variables set for the container: `DRAWIO=http://172.31.1.167:8080/?embed=1&proto=json&spin=1&configure=1&stealth=1 ` I have also attempted to modify this environment variable: ALLOWED_IFRAME_SOURCES= I've tried: * http://172.31.1.167:8080 * https://172.31.1.167:8443 * http://172.31.1.167* The only one that "works" is if I make it `ALLOWED_IFRAME_SOURCES="*"`, which seems like a security vulnerability even if I'm running this on a LAN. Note: I can access the plain old Draw.IO interface just fine: http://172.31.1.167:8080, and it loads. ### Steps to Reproduce Edit a page, click the icon to work on a Draw.io image. ### Expected Behaviour I expect to load into a Draw.IO instance. ### Screenshots or Additional Context _No response_ ### Browser Details Chrome and Edge on Windows 11 ### Exact BookStack Version v24.05.2

OVERLORD added the 🐛 Bug 🔍 Pending Validation labels 2026-02-05 09:21:39 +03:00

OVERLORD closed this issue

2026-02-05 09:21:41 +03:00

OVERLORD commented

2026-02-05 09:21:43 +03:00

@ssddanbrown commented on GitHub (Jul 9, 2024):

Hi @thickconfusion,

You shouldn't need to adjust the iframe sources since BookStack will look to automatically add any custom drawio URL, where set, to the CSP rules. Maybe our custom handling is tripping up any additional rules you're adding.

It does look though like we are not currently handling scenarios where non-protocol-standard ports are used.
I've marked this to be tested for next patch, against a custom-ported drawio instance.

Dev reference

78ebcb6f38/app/Util/CspService.php (L144)

@ssddanbrown commented on GitHub (Jul 9, 2024): Hi @thickconfusion, You shouldn't need to adjust the iframe sources since BookStack will look to automatically add any custom drawio URL, where set, to the CSP rules. Maybe our custom handling is tripping up any additional rules you're adding. It does look though like we are not currently handling scenarios where non-protocol-standard ports are used. I've marked this to be tested for next patch, against a custom-ported drawio instance. ### Dev reference https://github.com/BookStackApp/BookStack/blob/78ebcb6f38ee7a984b26cd56dff882ae9d7e9f95/app/Util/CspService.php#L144

OVERLORD commented

2026-02-05 09:21:45 +03:00

@thickconfusion commented on GitHub (Jul 9, 2024):

I commented out my ALLOWED_IFRAME_SOURCES line entirely, with my DRAWIO=http://172.31.1.167:8080/?embed=1&proto=json&spin=1&configure=1&stealth=1. I cleared browser cache, and I still have the problem. I again verified that I can launch http://172.31.1.167:8080 and Draw.IO loads just fine.

@thickconfusion commented on GitHub (Jul 9, 2024): I commented out my `ALLOWED_IFRAME_SOURCES` line entirely, with my `DRAWIO=http://172.31.1.167:8080/?embed=1&proto=json&spin=1&configure=1&stealth=1`. I cleared browser cache, and I still have the problem. I again verified that I can launch http://172.31.1.167:8080 and Draw.IO loads just fine.

OVERLORD commented

2026-02-05 09:21:48 +03:00

@ssddanbrown commented on GitHub (Jul 14, 2024):

Sure, I was just saying that we attempt to handle this so you shouldn't have to set the iframe sources, but we currently don't handle custom defined ports.

I've now fixed port handling via 897bb338f9, with testing to cover, which will be part of the next patch release so I'll therefore close this off.

Not sure why your custom ALLOWED_IFRAME_SOURCES additions did not work, since I could work around this on my dev instance via this method, but could be down to browser specifics or configuration changes not take place when expected.

If you still have issues after the next patch release feel free to still comment here for further investigation.

@ssddanbrown commented on GitHub (Jul 14, 2024): Sure, I was just saying that we attempt to handle this so you shouldn't have to set the iframe sources, but we currently don't handle custom defined ports. I've now fixed port handling via 897bb338f956245e2c86bda6cd5c6a67711f9448, with testing to cover, which will be part of the next patch release so I'll therefore close this off. Not sure why your custom `ALLOWED_IFRAME_SOURCES` additions did not work, since I could work around this on my dev instance via this method, but could be down to browser specifics or configuration changes not take place when expected. If you still have issues after the next patch release feel free to still comment here for further investigation.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#4861