diff --git a/modules/ROOT/pages/editor-and-features.adoc b/modules/ROOT/pages/editor-and-features.adoc index 8868ce3fe3..c30733b44c 100644 --- a/modules/ROOT/pages/editor-and-features.adoc +++ b/modules/ROOT/pages/editor-and-features.adoc @@ -54,17 +54,17 @@ include::partial$misc/premium-plugin-list.adoc[] include::partial$misc/admon-cloud-configured-options.adoc[] -=== Step 4: Forward proxy configuration +=== Step 4: Forward proxy and firewall configuration -Ensure that the following URLs are accessible via this proxy if the network has a forward proxy that controls access to the internet. +If the network has a firewall or forward proxy that controls access to the internet, ensure that the following URLs are accessible: * All URLs where the editor is deployed. * All URLs where the plugins are deployed. -* +https://imageproxy.tiny.cloud+ -* +https://hyperlinking.tiny.cloud+ -* +https://spelling.tiny.cloud+ +* `+*.tiny.cloud+` — covers all {cloudname} services, including the image proxy, link checker, spell checker, AI, and document converters. -Ensure the `+tiny-api-key+` and `+tinymce-api-key+` headers are retained while requesting the list of above URLs. +Ensure the `+tiny-api-key+` and `+tinymce-api-key+` headers are retained while requesting the above URLs. + +For the full list of {cloudname} service domains and required headers, see xref:tinymce-and-csp.adoc#firewall-and-proxy-allowlisting[Firewall and proxy allowlisting]. === Step 5: Specifying a translation diff --git a/modules/ROOT/pages/exportpdf.adoc b/modules/ROOT/pages/exportpdf.adoc index 07031040a9..0455a28ab7 100644 --- a/modules/ROOT/pages/exportpdf.adoc +++ b/modules/ROOT/pages/exportpdf.adoc @@ -55,6 +55,7 @@ For more infomation on the exportpdf_token_provider option, see xref:exportpdf.a include::partial$misc/admon-jwt-authentication-requirements.adoc[] +include::partial$misc/admon-cloud-firewall.adoc[] == Basic setup using the self-hosted service diff --git a/modules/ROOT/pages/exportword.adoc b/modules/ROOT/pages/exportword.adoc index 307f1606a9..f4444b888a 100644 --- a/modules/ROOT/pages/exportword.adoc +++ b/modules/ROOT/pages/exportword.adoc @@ -54,6 +54,7 @@ For more infomation on the exportword_token_provider option, see xref:exportword include::partial$misc/admon-jwt-authentication-requirements.adoc[] +include::partial$misc/admon-cloud-firewall.adoc[] == Basic setup using the self-hosted service diff --git a/modules/ROOT/pages/features-only.adoc b/modules/ROOT/pages/features-only.adoc index 119c657ffd..e265deb4d9 100644 --- a/modules/ROOT/pages/features-only.adoc +++ b/modules/ROOT/pages/features-only.adoc @@ -55,14 +55,14 @@ The following is a complete example, where: ---- -== Step 3: Forward proxy configuration +== Step 3: Forward proxy and firewall configuration -Ensure that the following URLs are accessible via this proxy if the network has a forward proxy that controls access to the internet. +If the network has a firewall or forward proxy that controls access to the internet, ensure that the following URLs are accessible: * All URLs where the editor is deployed. * All URLs where the plugins are deployed. -* +https://imageproxy.tiny.cloud+ -* +https://hyperlinking.tiny.cloud+ -* +https://spelling.tiny.cloud+ +* `+*.tiny.cloud+` — covers all {cloudname} services, including the image proxy, link checker, spell checker, AI, and document converters. -Ensure the `+tiny-api-key+` and `+tinymce-api-key+` headers are retained while requesting the list of above URLs. +Ensure the `+tiny-api-key+` and `+tinymce-api-key+` headers are retained while requesting the above URLs. + +For the full list of {cloudname} service domains and required headers, see xref:tinymce-and-csp.adoc#firewall-and-proxy-allowlisting[Firewall and proxy allowlisting]. diff --git a/modules/ROOT/pages/importword.adoc b/modules/ROOT/pages/importword.adoc index b991d58a44..fd226877ec 100644 --- a/modules/ROOT/pages/importword.adoc +++ b/modules/ROOT/pages/importword.adoc @@ -47,6 +47,7 @@ For more infomation on the importword_token_provider option, see xref:importword include::partial$misc/admon-jwt-authentication-requirements.adoc[] +include::partial$misc/admon-cloud-firewall.adoc[] == Basic setup using the self-hosted service diff --git a/modules/ROOT/pages/tinymce-and-csp.adoc b/modules/ROOT/pages/tinymce-and-csp.adoc index 2e8042c5b9..a0426db8fb 100644 --- a/modules/ROOT/pages/tinymce-and-csp.adoc +++ b/modules/ROOT/pages/tinymce-and-csp.adoc @@ -1,10 +1,45 @@ -= The TinyMCE Content Security Policy guide += {productname} Content Security Policy and allowed domains :navtitle: Content Security Policies (CSP) -:description: Information and options related to using TinyMCE with a Content Security Policy (CSP) -:keywords: security, csp +:description: Content Security Policy directives, firewall allowlisting, and proxy configuration for {productname} and {cloudname} services +:keywords: security, csp, firewall, allowlist, proxy, whitelist include::partial$misc/general-csp.adoc[] +[[firewall-and-proxy-allowlisting]] +== Firewall and proxy allowlisting + +Organizations operating behind a firewall or forward proxy that restricts outbound internet access must allowlist {cloudname} domains. {productname} cloud-hosted features require the browser to make outbound HTTPS requests to these domains; no inbound access from {cloudname} is required. + +[[required-domains]] +=== Required domains + +Allowlist the following wildcard domain to cover all {cloudname} services: + +`+*.tiny.cloud+` + +This single entry covers all cloud-hosted services, including but not limited to: + +* Editor loading and plugin delivery (`+cdn.tiny.cloud+`) +* xref:tinymceai.adoc[TinyMCE AI] (`+tinymceai.api.tiny.cloud+`) +* xref:importword.adoc[Import from Word] (`+importdocx.api.tiny.cloud+`) +* xref:exportword.adoc[Export to Word] (`+exportdocx.api.tiny.cloud+`) +* xref:exportpdf.adoc[Export to PDF] (`+exportpdf.api.tiny.cloud+`) +* Image proxy (`+imageproxy.tiny.cloud+`) +* Link checking (`+hyperlinking.tiny.cloud+`) +* Spell checking (`+spelling.tiny.cloud+`) + +NOTE: Self-hosted deployments that do not connect to any {cloudname} services do not require this allowlisting. For self-hosted services such as on-premises document converters or AI, allowlist the domain where the self-hosted service is running instead. + +[[required-http-headers]] +=== Required HTTP headers + +Ensure the proxy retains (does not strip) the following HTTP headers on requests to `+*.tiny.cloud+` domains: + +* `+tiny-api-key+` +* `+tinymce-api-key+` + +These headers are required for API key validation and service authentication. + == Content Security Policy related options include::partial$configuration/content_security_policy.adoc[leveloffset=+1] diff --git a/modules/ROOT/pages/tinymceai.adoc b/modules/ROOT/pages/tinymceai.adoc index d8d3be3a3c..cd8b7bbef4 100644 --- a/modules/ROOT/pages/tinymceai.adoc +++ b/modules/ROOT/pages/tinymceai.adoc @@ -27,6 +27,8 @@ To set up the {pluginname} plugin in {productname}: * configure the `tinymceai_token_provider` option to provide authentication tokens (must return `+{ token: string }+`). During a {cloudname} trial, the xref:tinymceai-jwt-authentication-intro.adoc#trial-demo-identity-service[demo identity service] can supply JWTs so a custom token endpoint is not required; * when the `toolbar` option is omitted or left at the default, the Silver theme toolbar already includes the AI toolbar buttons once the plugin is enabled: `+tinymceai-chat+` image:icons-premium/ai-assistant.svg[Chat icon,24px], `+tinymceai-quickactions+` image:icons/ai-prompt.svg[Quick Actions icon,24px], and `+tinymceai-review+` image:icons-premium/ai-review.svg[Review icon,24px]. When a custom `toolbar` string is set, add those button ids to the string explicitly. +include::partial$misc/admon-cloud-firewall.adoc[] + [[minimal-setup]] === Minimal setup diff --git a/modules/ROOT/partials/misc/admon-cloud-firewall.adoc b/modules/ROOT/partials/misc/admon-cloud-firewall.adoc new file mode 100644 index 0000000000..b3c8383610 --- /dev/null +++ b/modules/ROOT/partials/misc/admon-cloud-firewall.adoc @@ -0,0 +1 @@ +NOTE: When using the cloud-hosted service behind a firewall or forward proxy, ensure `+*.tiny.cloud+` is allowlisted and that required HTTP headers are not stripped. See xref:tinymce-and-csp.adoc#firewall-and-proxy-allowlisting[Firewall and proxy allowlisting] for details.