Custom plugin using URLStreamHandlerWithContext blocking connection as untrusted

[trentono]

Hello,
We have been using a custom plugin for Oxygen XML Editor to load our XML data that extends URLStreamHandlerWithContext, and recently (seems to be after upgrading to v 26.0) the connection from this plugin has been blocked as untrusted. This is the error message we receive (url redacted):

Connection to https://xxxxx.xxxxx.xxxxx.com/vx/xxxxx/ ... c5551/xxxx was blocked because it is not configured as a trusted host.

Strangely, we only see this issue in our production environment. All of our pre-production environments don't have this issue.

As a workaround, we have been adding our host to the allowed hosts list on the Administration page. However, this is not a great long term solution as we have to adjust this config after each deploy (and we're running Oxygen in an AWS ECS task, which AWS may destroy/create automatically at any time).

From the documentation, I can see that:

Plugins can specify whether a connection is allowed or denied, regardless of whether or not they are listed in the Security tab of the Administration Page.

However, I can't find anywhere in the documentation that says where or how a plugin would specify this. Is the fact that the plugin uses a specific URL for a connection supposed to implicitly trust that host? Or, in addition to our custom URLStreamHandlerWithContext plugin, should we be creating a custom TrustedHostsProviderExtension with the same hosts listed that our other plugin uses?

Thanks,
Trent Olson

[Radu]

Hi Trent,
Is this question about the Oxygen standalone/desktop product or the Oxygen in-browser WebAuthor product?
Based on the forum category in which you posted I assume you are using the Oxygen standalone/desktop product. I think we've had this check for remote connections made by Oxygen for a number of years now. Usually in such cases Oxygen shows a popup dialog allowing you to define the URL as trusted.

About this userguide content you quoted:

Plugins can specify whether a connection is allowed or denied, regardless of whether or not they are listed in the Security tab of the Administration Page.

This is from the Oxygen in-browser web author distribution which is a totally different product than Oxygen XML Author/Editor desktop:
https://www.oxygenxml.com/doc/versions/ ... ation.html

The TrustedHostsProviderExtension is overall a good solution in order to take control in your Oxygen plugin over which hosts are trusted and which are not.

Regards,
Radu

[trentono]

Thanks for the reply, Radu.

Is this question about the Oxygen standalone/desktop product or the Oxygen in-browser WebAuthor product?

This is a question about the in-browser Oxygen XML Editor. The forum category isn't very clear on desktop vs embedded in-browser (or maybe the product names aren't very clear), at least to me. Should I post this question elsewhere? Where would you suggest?

Regardless, from the below:

The TrustedHostsProviderExtension is overall a good solution in order to take control in your Oxygen plugin over which hosts are trusted and which are not.

It seems you would recommend using the TrustedHostsProviderExtension for our issue?

Thanks,
Trent

[Radu]

Hi Trent,
A good more targeted where to post webauthor related questions is here:
common-problems-f34/
Indeed looking at our code the TrustedHostsProviderExtension plugin extension point should work as well for WebAuthor.
Regards,
Radu