Bug: CSP connect-src 'self' blocks Zoho API calls (when ZOHO_ENABLED=true) #129

Closed
opened 2026-05-17 21:28:01 -05:00 by null · 0 comments
Owner

Problem

The Helmet CSP connect-src directive is set to ['self']. This restricts all XHR/fetch calls to the same origin only.

When ZOHO_ENABLED=true, the SERVER makes outbound calls to Zoho APIs (accounts.zoho.com, www.zohoapis.com). These are server-side calls (not browser), so CSP does NOT affect them.

However, if any client-side Zoho integration is ever added (e.g., Zoho SalesIQ chat widget), CSP connect-src would block it.

This is NOT currently a bug — Zoho calls are server-side. But it's worth noting for future planning.

Fix

No immediate fix needed. If a client-side Zoho widget is added in the future, add the Zoho domains to connect-src:

connectSrc: ["'self'", "https://www.zohoapis.com", "https://accounts.zoho.com"]

Files

  • server/index.js — CSP directives

Severity

Low — not currently broken, but will block future client-side Zoho integrations

## Problem The Helmet CSP connect-src directive is set to `['self']`. This restricts all XHR/fetch calls to the same origin only. When ZOHO_ENABLED=true, the SERVER makes outbound calls to Zoho APIs (accounts.zoho.com, www.zohoapis.com). These are server-side calls (not browser), so CSP does NOT affect them. However, if any client-side Zoho integration is ever added (e.g., Zoho SalesIQ chat widget), CSP connect-src would block it. This is NOT currently a bug — Zoho calls are server-side. But it's worth noting for future planning. ## Fix No immediate fix needed. If a client-side Zoho widget is added in the future, add the Zoho domains to connect-src: ``` connectSrc: ["'self'", "https://www.zohoapis.com", "https://accounts.zoho.com"] ``` ## Files - server/index.js — CSP directives ## Severity Low — not currently broken, but will block future client-side Zoho integrations
null closed this issue 2026-05-17 22:33:44 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/Queue-North-Website#129
No description provided.