Bug: CSP connect-src 'self' blocks Zoho API calls (when ZOHO_ENABLED=true) #129
Labels
No Label
P0 Critical
P1 High
P2 Medium
P3 Low
accessibility
backend
bug
content
data-integrity
enhancement
frontend
infra
integration
owner
owner-input
performance
performance
phase-7
phase-8
security
seo
ui
ux
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: null/Queue-North-Website#129
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
The Helmet CSP connect-src directive is set to
['self']. This restricts all XHR/fetch calls to the same origin only.When ZOHO_ENABLED=true, the SERVER makes outbound calls to Zoho APIs (accounts.zoho.com, www.zohoapis.com). These are server-side calls (not browser), so CSP does NOT affect them.
However, if any client-side Zoho integration is ever added (e.g., Zoho SalesIQ chat widget), CSP connect-src would block it.
This is NOT currently a bug — Zoho calls are server-side. But it's worth noting for future planning.
Fix
No immediate fix needed. If a client-side Zoho widget is added in the future, add the Zoho domains to connect-src:
Files
Severity
Low — not currently broken, but will block future client-side Zoho integrations