Oxygen XML Forum

Hello,
We have been using a custom plugin for Oxygen XML Editor to load our XML data that extends URLStreamHandlerWithContext, and recently (seems to be after upgrading to v 26.0) the connection from this plugin has been blocked as untrusted. This is the error message we receive (url redacted):

Connection to https://xxxxx.xxxxx.xxxxx.com/vx/xxxxx/ ... c5551/xxxx was blocked because it is not configured as a trusted host.

Strangely, we only see this issue in our production environment. All of our pre-production environments don't have this issue.

As a workaround, we have been adding our host to the allowed hosts list on the Administration page. However, this is not a great long term solution as we have to adjust this config after each deploy (and we're running Oxygen in an AWS ECS task, which AWS may destroy/create automatically at any time).

From the documentation, I can see that:

Plugins can specify whether a connection is allowed or denied, regardless of whether or not they are listed in the Security tab of the Administration Page.

However, I can't find anywhere in the documentation that says where or how a plugin would specify this. Is the fact that the plugin uses a specific URL for a connection supposed to implicitly trust that host? Or, in addition to our custom URLStreamHandlerWithContext plugin, should we be creating a custom TrustedHostsProviderExtension with the same hosts listed that our other plugin uses?

Thanks,
Trent Olson

Hello,

Thank you for contacting us.
You can view the post here [1], where my colleague, Radu, managed to respond:

The TrustedHostsProviderExtension is overall a good solution in order to take control in your Oxygen plugin over which hosts are trusted and which are not.

[1] viewtopic.php?p=74182#p74182

Best,
Cosmin