Error in chromium browsers - TrustedHTML

[JocularMarrow]

Hello,

Having some issues with self-hosted outline. On browsers running chromium we get this error after login with google OAuth TypeError: Failed to set the 'innerHTML' property on 'Element': This document requires 'TrustedHTML' assignment.. It works on firefox so I assume this has something to do with chromium.

Our reverse proxy settings in case the issue lies there.
openresty.conf:

server {
    listen 443 ssl;
    http2 on;

    server_name outline.example.com;

    ssl_certificate path/to/crt;
    ssl_certificate_key path/to/crt;

    location / {
        proxy_set_header Host $host;
        proxy_set_header Host $http_host;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass http://outline/;
        proxy_next_upstream timeout;
        proxy_next_upstream_tries 2;
        proxy_connect_timeout 5s;
        proxy_read_timeout 30s;
        proxy_send_timeout 30s;
        proxy_redirect off;
    }
}

Not sure what can cause this, any help is appreciated.

[tommoor]

I've never seen such an error in all the years of working on this, are you sure that's the error causing the issue?

[JocularMarrow]

Hey,

Yeah that is what I get as error after loading in. Gonna add a picture of it here:

Then I'm also gonna share the console logs, actually when looking at them I found this ws error: websocket.js:122 WebSocket connection to 'wss://outline.example.com/realtime/?EIO=4&transport=websocket' failed: WebSocket is closed before the connection is established. Might be something.

console logs:
outline.example.com-1712340714333.log

Edit: removed domain...

[JocularMarrow]

Solution:

add_header X-XSS-Protection          "1; mode=block" always;
add_header X-Content-Type-Options    "nosniff" always;
add_header Referrer-Policy           "no-referrer-when-downgrade" always;
add_header Content-Security-Policy   "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy        "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Chrome needs these content security policy headers to work, added them in my Nginx and now it all works :)