03-14-2023 12:52 PM
I'm currently working on our upgrade to OnBase 22.1, and was curious to see if anyone has found a way to disable the Desktop Host "discovery" process within the web client?
For reference, the "discovery" process I'm referring to here is that upon logging into the web client, the user's browser will search for the desktop host by making a handful of calls to http[://]127.0.0.1/discovery (stopping early if the Desktop Host is actually installed and running).
This approach isn't dissimilar from other apps that have similar desktop host integrations, however, within our environment, when these calls are made, the Content Security Policy that we have configured on our web server blocks them. This effectively means that every time a user logs into the web client, we get 11 Content Security Policy violation reports.
We could of course add a CSP directive to allow these calls (for those in a similar position who ARE using the desktop host and have a Content Security Policy set, the directive you would need to add is: connect-src http://127.0.0.1:*/discovery), however, as a security best practice, I'd like to avoid adding anything to our CSP that we know is not (technically) needed within our environment at this time - if at all possible.
Thanks!
-Mike
03-27-2023 07:26 AM
Hi Everyone,
Just to circle back and close the loop here for anyone who might be in the same situation as our organization...
In working with Support and R&D, it is currently not possible to disable the Desktop Host discovery process. The rationale here is that with OnBase 22.1, the Desktop Host has completely replaced the old ActiveX controls.
However, I did create an Idea, asking for the implementation of a new "switch" that will allow administrators to disable this discovery process: https://community.hyland.com/ideas/idea/89326-provide-the-ability-to-disable-the-web-client-desktop-...
For now though, the options are either to (A) add the necessary "connect-src" directive (connect-src http://127.0.0.1:*/discovery or, this can also be limited to the specific ports [these currently appear to be 9938 -9949]), or (B) leave the directive off of the CSP, with the understanding that each user who logs in will end up sending a series of CSP reports.
Thanks!
-Mike
03-16-2023 07:59 AM
Hi
I am reaching out to our Authentication and Security team to provide some advice to answer your question. We will get back to you as soon as we have information or subsequent questions.
Meanwhile, this question is still open for all other community members to provide a potential solution.
Thanks,
~Alan
03-16-2023 09:43 AM
Hi
We suggest that you Create a Support Case with FLOS (first line of support) so that a Support person can work directly with you and R&D to determine if this can be done or this would require an enhancement request.
Meanwhile, this question is still open for all other community members to provide a potential solution.
Thanks!
~Alan
03-16-2023 03:56 PM
Hi
Thanks so much for your help in pointing me in the right direction!
That sounds good -- I will reach out to my FLOS and see what they come back with.
I'll circle back here to this post with our findings, just in case they end up being helpful for anyone else.
Thanks!
-Mike
03-27-2023 07:26 AM
Hi Everyone,
Just to circle back and close the loop here for anyone who might be in the same situation as our organization...
In working with Support and R&D, it is currently not possible to disable the Desktop Host discovery process. The rationale here is that with OnBase 22.1, the Desktop Host has completely replaced the old ActiveX controls.
However, I did create an Idea, asking for the implementation of a new "switch" that will allow administrators to disable this discovery process: https://community.hyland.com/ideas/idea/89326-provide-the-ability-to-disable-the-web-client-desktop-...
For now though, the options are either to (A) add the necessary "connect-src" directive (connect-src http://127.0.0.1:*/discovery or, this can also be limited to the specific ports [these currently appear to be 9938 -9949]), or (B) leave the directive off of the CSP, with the understanding that each user who logs in will end up sending a series of CSP reports.
Thanks!
-Mike
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.