From 3fea2663d8dea2572f7d1d7b6810323a80875e82 Mon Sep 17 00:00:00 2001 From: Karl Kemister-Sheppard Date: Thu, 14 May 2026 14:05:03 +1000 Subject: [PATCH 1/4] DOC-3506: Add firewall whitelist instructions to AI and Doc Converters docs --- modules/ROOT/pages/editor-and-features.adoc | 10 ++--- modules/ROOT/pages/exportword.adoc | 2 + modules/ROOT/pages/features-only.adoc | 10 ++--- modules/ROOT/pages/importword.adoc | 2 + modules/ROOT/pages/tinymce-and-csp.adoc | 40 +++++++++++++++++-- modules/ROOT/pages/tinymceai.adoc | 2 + .../partials/misc/admon-cloud-firewall.adoc | 1 + 7 files changed, 54 insertions(+), 13 deletions(-) create mode 100644 modules/ROOT/partials/misc/admon-cloud-firewall.adoc diff --git a/modules/ROOT/pages/editor-and-features.adoc b/modules/ROOT/pages/editor-and-features.adoc index 8868ce3fe3..166ae2a668 100644 --- a/modules/ROOT/pages/editor-and-features.adoc +++ b/modules/ROOT/pages/editor-and-features.adoc @@ -56,15 +56,15 @@ include::partial$misc/admon-cloud-configured-options.adoc[] === Step 4: Forward proxy configuration -Ensure that the following URLs are accessible via this proxy if the network has a forward proxy that controls access to the internet. +If the network has a forward proxy that controls access to the internet, ensure that the following URLs are accessible: * All URLs where the editor is deployed. * All URLs where the plugins are deployed. -* +https://imageproxy.tiny.cloud+ -* +https://hyperlinking.tiny.cloud+ -* +https://spelling.tiny.cloud+ +* `+*.tiny.cloud+` — covers all {cloudname} services, including the image proxy, link checker, spell checker, AI, and document converters. -Ensure the `+tiny-api-key+` and `+tinymce-api-key+` headers are retained while requesting the list of above URLs. +Ensure the `+tiny-api-key+` and `+tinymce-api-key+` headers are retained while requesting the above URLs. + +For the full list of {cloudname} service domains and required headers, see xref:tinymce-and-csp.adoc#firewall-and-proxy-allowlisting[Firewall and proxy allowlisting]. === Step 5: Specifying a translation diff --git a/modules/ROOT/pages/exportword.adoc b/modules/ROOT/pages/exportword.adoc index 307f1606a9..93bac5c9c0 100644 --- a/modules/ROOT/pages/exportword.adoc +++ b/modules/ROOT/pages/exportword.adoc @@ -11,6 +11,8 @@ include::partial$misc/admon-export-word-paid-addon-pricing.adoc[] +include::partial$misc/admon-cloud-firewall.adoc[] + The export to Microsoft Word feature collects the HTML generated with the `tinymce.editor.getContent()` method and combines it with the default editor content styles along with the styles provided in the plugin configuration. The combined content and styles are then processed by the included server-side converter service, which can be either self-hosted or cloud-based. Following this processing, a Word file is generated, which is subsequently returned to the user's browser, enabling them to save it in the Word format onto their disk or drive. == Interactive example diff --git a/modules/ROOT/pages/features-only.adoc b/modules/ROOT/pages/features-only.adoc index 119c657ffd..79eeccc682 100644 --- a/modules/ROOT/pages/features-only.adoc +++ b/modules/ROOT/pages/features-only.adoc @@ -57,12 +57,12 @@ The following is a complete example, where: == Step 3: Forward proxy configuration -Ensure that the following URLs are accessible via this proxy if the network has a forward proxy that controls access to the internet. +If the network has a forward proxy that controls access to the internet, ensure that the following URLs are accessible: * All URLs where the editor is deployed. * All URLs where the plugins are deployed. -* +https://imageproxy.tiny.cloud+ -* +https://hyperlinking.tiny.cloud+ -* +https://spelling.tiny.cloud+ +* `+*.tiny.cloud+` — covers all {cloudname} services, including the image proxy, link checker, spell checker, AI, and document converters. -Ensure the `+tiny-api-key+` and `+tinymce-api-key+` headers are retained while requesting the list of above URLs. +Ensure the `+tiny-api-key+` and `+tinymce-api-key+` headers are retained while requesting the above URLs. + +For the full list of {cloudname} service domains and required headers, see xref:tinymce-and-csp.adoc#firewall-and-proxy-allowlisting[Firewall and proxy allowlisting]. diff --git a/modules/ROOT/pages/importword.adoc b/modules/ROOT/pages/importword.adoc index b991d58a44..566aaf18d4 100644 --- a/modules/ROOT/pages/importword.adoc +++ b/modules/ROOT/pages/importword.adoc @@ -13,6 +13,8 @@ include::partial$misc/admon-import-word-paid-addon-pricing.adoc[] The {pluginname} plugin lets you import `.docx` (Word document) or `.dotx` (Word template) files into the editor. The process preserves formatting and rich media. +include::partial$misc/admon-cloud-firewall.adoc[] + == Interactive example liveDemo::importword[] diff --git a/modules/ROOT/pages/tinymce-and-csp.adoc b/modules/ROOT/pages/tinymce-and-csp.adoc index 2e8042c5b9..40302cf628 100644 --- a/modules/ROOT/pages/tinymce-and-csp.adoc +++ b/modules/ROOT/pages/tinymce-and-csp.adoc @@ -1,10 +1,44 @@ -= The TinyMCE Content Security Policy guide += {productname} Content Security Policy and allowed domains :navtitle: Content Security Policies (CSP) -:description: Information and options related to using TinyMCE with a Content Security Policy (CSP) -:keywords: security, csp +:description: Content Security Policy directives, firewall allowlisting, and proxy configuration for {productname} and {cloudname} services +:keywords: security, csp, firewall, allowlist, proxy, whitelist include::partial$misc/general-csp.adoc[] +[[firewall-and-proxy-allowlisting]] +== Firewall and proxy allowlisting + +Organizations operating behind a firewall or forward proxy that restricts outbound internet access must allowlist {cloudname} domains for cloud-hosted {productname} features to function. + +[[required-domains]] +=== Required domains + +Allowlist the following wildcard domain to cover all {cloudname} services: + +`+*.tiny.cloud+` + +This single entry covers all cloud-hosted services, including but not limited to: + +* Editor loading and plugin delivery (`+cdn.tiny.cloud+`) +* xref:tinymceai.adoc[TinyMCE AI] (`+tinymceai.api.tiny.cloud+`) +* xref:importword.adoc[Import from Word] (`+importdocx.api.tiny.cloud+`) +* xref:exportword.adoc[Export to Word] (`+exportdocx.api.tiny.cloud+`) +* Image proxy (`+imageproxy.tiny.cloud+`) +* Link checking (`+hyperlinking.tiny.cloud+`) +* Spell checking (`+spelling.tiny.cloud+`) + +NOTE: Self-hosted deployments that do not connect to any {cloudname} services do not require this allowlisting. For self-hosted services such as on-premises document converters or AI, allowlist the domain where the self-hosted service is running instead. + +[[required-http-headers]] +=== Required HTTP headers + +Ensure the proxy retains (does not strip) the following HTTP headers on requests to `+*.tiny.cloud+` domains: + +* `+tiny-api-key+` +* `+tinymce-api-key+` + +These headers are required for API key validation and service authentication. + == Content Security Policy related options include::partial$configuration/content_security_policy.adoc[leveloffset=+1] diff --git a/modules/ROOT/pages/tinymceai.adoc b/modules/ROOT/pages/tinymceai.adoc index d8d3be3a3c..ec1bb38390 100644 --- a/modules/ROOT/pages/tinymceai.adoc +++ b/modules/ROOT/pages/tinymceai.adoc @@ -13,6 +13,8 @@ include::partial$misc/admon-premium-plugin.adoc[] The {pluginname} plugin integrates AI-assisted authoring with rich-text editing. Users can interact through Actions, Reviews, or Conversations that can use relevant context from multiple sources. +include::partial$misc/admon-cloud-firewall.adoc[] + [[interactive-example]] == Interactive example diff --git a/modules/ROOT/partials/misc/admon-cloud-firewall.adoc b/modules/ROOT/partials/misc/admon-cloud-firewall.adoc new file mode 100644 index 0000000000..b3c8383610 --- /dev/null +++ b/modules/ROOT/partials/misc/admon-cloud-firewall.adoc @@ -0,0 +1 @@ +NOTE: When using the cloud-hosted service behind a firewall or forward proxy, ensure `+*.tiny.cloud+` is allowlisted and that required HTTP headers are not stripped. See xref:tinymce-and-csp.adoc#firewall-and-proxy-allowlisting[Firewall and proxy allowlisting] for details. From 5174b9f6f67f993a48189c10134d5cf1a1109417 Mon Sep 17 00:00:00 2001 From: Karl Kemister-Sheppard Date: Thu, 14 May 2026 14:20:45 +1000 Subject: [PATCH 2/4] DOC-3506: Move firewall admonition to cloud setup sections --- modules/ROOT/pages/exportword.adoc | 3 +-- modules/ROOT/pages/importword.adoc | 3 +-- modules/ROOT/pages/tinymceai.adoc | 4 ++-- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/modules/ROOT/pages/exportword.adoc b/modules/ROOT/pages/exportword.adoc index 93bac5c9c0..f4444b888a 100644 --- a/modules/ROOT/pages/exportword.adoc +++ b/modules/ROOT/pages/exportword.adoc @@ -11,8 +11,6 @@ include::partial$misc/admon-export-word-paid-addon-pricing.adoc[] -include::partial$misc/admon-cloud-firewall.adoc[] - The export to Microsoft Word feature collects the HTML generated with the `tinymce.editor.getContent()` method and combines it with the default editor content styles along with the styles provided in the plugin configuration. The combined content and styles are then processed by the included server-side converter service, which can be either self-hosted or cloud-based. Following this processing, a Word file is generated, which is subsequently returned to the user's browser, enabling them to save it in the Word format onto their disk or drive. == Interactive example @@ -56,6 +54,7 @@ For more infomation on the exportword_token_provider option, see xref:exportword include::partial$misc/admon-jwt-authentication-requirements.adoc[] +include::partial$misc/admon-cloud-firewall.adoc[] == Basic setup using the self-hosted service diff --git a/modules/ROOT/pages/importword.adoc b/modules/ROOT/pages/importword.adoc index 566aaf18d4..fd226877ec 100644 --- a/modules/ROOT/pages/importword.adoc +++ b/modules/ROOT/pages/importword.adoc @@ -13,8 +13,6 @@ include::partial$misc/admon-import-word-paid-addon-pricing.adoc[] The {pluginname} plugin lets you import `.docx` (Word document) or `.dotx` (Word template) files into the editor. The process preserves formatting and rich media. -include::partial$misc/admon-cloud-firewall.adoc[] - == Interactive example liveDemo::importword[] @@ -49,6 +47,7 @@ For more infomation on the importword_token_provider option, see xref:importword include::partial$misc/admon-jwt-authentication-requirements.adoc[] +include::partial$misc/admon-cloud-firewall.adoc[] == Basic setup using the self-hosted service diff --git a/modules/ROOT/pages/tinymceai.adoc b/modules/ROOT/pages/tinymceai.adoc index ec1bb38390..cd8b7bbef4 100644 --- a/modules/ROOT/pages/tinymceai.adoc +++ b/modules/ROOT/pages/tinymceai.adoc @@ -13,8 +13,6 @@ include::partial$misc/admon-premium-plugin.adoc[] The {pluginname} plugin integrates AI-assisted authoring with rich-text editing. Users can interact through Actions, Reviews, or Conversations that can use relevant context from multiple sources. -include::partial$misc/admon-cloud-firewall.adoc[] - [[interactive-example]] == Interactive example @@ -29,6 +27,8 @@ To set up the {pluginname} plugin in {productname}: * configure the `tinymceai_token_provider` option to provide authentication tokens (must return `+{ token: string }+`). During a {cloudname} trial, the xref:tinymceai-jwt-authentication-intro.adoc#trial-demo-identity-service[demo identity service] can supply JWTs so a custom token endpoint is not required; * when the `toolbar` option is omitted or left at the default, the Silver theme toolbar already includes the AI toolbar buttons once the plugin is enabled: `+tinymceai-chat+` image:icons-premium/ai-assistant.svg[Chat icon,24px], `+tinymceai-quickactions+` image:icons/ai-prompt.svg[Quick Actions icon,24px], and `+tinymceai-review+` image:icons-premium/ai-review.svg[Review icon,24px]. When a custom `toolbar` string is set, add those button ids to the string explicitly. +include::partial$misc/admon-cloud-firewall.adoc[] + [[minimal-setup]] === Minimal setup From 3a497cadb14f44abfc81a398bc742c7c90c64010 Mon Sep 17 00:00:00 2001 From: Karl Kemister-Sheppard Date: Thu, 14 May 2026 14:55:47 +1000 Subject: [PATCH 3/4] DOC-3506: Add firewall admonition to Export to PDF and include its service domain --- modules/ROOT/pages/exportpdf.adoc | 1 + modules/ROOT/pages/tinymce-and-csp.adoc | 1 + 2 files changed, 2 insertions(+) diff --git a/modules/ROOT/pages/exportpdf.adoc b/modules/ROOT/pages/exportpdf.adoc index 07031040a9..0455a28ab7 100644 --- a/modules/ROOT/pages/exportpdf.adoc +++ b/modules/ROOT/pages/exportpdf.adoc @@ -55,6 +55,7 @@ For more infomation on the exportpdf_token_provider option, see xref:exportpdf.a include::partial$misc/admon-jwt-authentication-requirements.adoc[] +include::partial$misc/admon-cloud-firewall.adoc[] == Basic setup using the self-hosted service diff --git a/modules/ROOT/pages/tinymce-and-csp.adoc b/modules/ROOT/pages/tinymce-and-csp.adoc index 40302cf628..f60ba9e6cf 100644 --- a/modules/ROOT/pages/tinymce-and-csp.adoc +++ b/modules/ROOT/pages/tinymce-and-csp.adoc @@ -23,6 +23,7 @@ This single entry covers all cloud-hosted services, including but not limited to * xref:tinymceai.adoc[TinyMCE AI] (`+tinymceai.api.tiny.cloud+`) * xref:importword.adoc[Import from Word] (`+importdocx.api.tiny.cloud+`) * xref:exportword.adoc[Export to Word] (`+exportdocx.api.tiny.cloud+`) +* xref:exportpdf.adoc[Export to PDF] (`+exportpdf.api.tiny.cloud+`) * Image proxy (`+imageproxy.tiny.cloud+`) * Link checking (`+hyperlinking.tiny.cloud+`) * Spell checking (`+spelling.tiny.cloud+`) From dea7fb000296c12689fbfb0665633504f1110478 Mon Sep 17 00:00:00 2001 From: Karl Kemister-Sheppard Date: Thu, 14 May 2026 14:58:55 +1000 Subject: [PATCH 4/4] DOC-3506: Address review - clarify firewall scope and outbound-only requirement --- modules/ROOT/pages/editor-and-features.adoc | 4 ++-- modules/ROOT/pages/features-only.adoc | 4 ++-- modules/ROOT/pages/tinymce-and-csp.adoc | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/ROOT/pages/editor-and-features.adoc b/modules/ROOT/pages/editor-and-features.adoc index 166ae2a668..c30733b44c 100644 --- a/modules/ROOT/pages/editor-and-features.adoc +++ b/modules/ROOT/pages/editor-and-features.adoc @@ -54,9 +54,9 @@ include::partial$misc/premium-plugin-list.adoc[] include::partial$misc/admon-cloud-configured-options.adoc[] -=== Step 4: Forward proxy configuration +=== Step 4: Forward proxy and firewall configuration -If the network has a forward proxy that controls access to the internet, ensure that the following URLs are accessible: +If the network has a firewall or forward proxy that controls access to the internet, ensure that the following URLs are accessible: * All URLs where the editor is deployed. * All URLs where the plugins are deployed. diff --git a/modules/ROOT/pages/features-only.adoc b/modules/ROOT/pages/features-only.adoc index 79eeccc682..e265deb4d9 100644 --- a/modules/ROOT/pages/features-only.adoc +++ b/modules/ROOT/pages/features-only.adoc @@ -55,9 +55,9 @@ The following is a complete example, where: ---- -== Step 3: Forward proxy configuration +== Step 3: Forward proxy and firewall configuration -If the network has a forward proxy that controls access to the internet, ensure that the following URLs are accessible: +If the network has a firewall or forward proxy that controls access to the internet, ensure that the following URLs are accessible: * All URLs where the editor is deployed. * All URLs where the plugins are deployed. diff --git a/modules/ROOT/pages/tinymce-and-csp.adoc b/modules/ROOT/pages/tinymce-and-csp.adoc index f60ba9e6cf..a0426db8fb 100644 --- a/modules/ROOT/pages/tinymce-and-csp.adoc +++ b/modules/ROOT/pages/tinymce-and-csp.adoc @@ -8,7 +8,7 @@ include::partial$misc/general-csp.adoc[] [[firewall-and-proxy-allowlisting]] == Firewall and proxy allowlisting -Organizations operating behind a firewall or forward proxy that restricts outbound internet access must allowlist {cloudname} domains for cloud-hosted {productname} features to function. +Organizations operating behind a firewall or forward proxy that restricts outbound internet access must allowlist {cloudname} domains. {productname} cloud-hosted features require the browser to make outbound HTTPS requests to these domains; no inbound access from {cloudname} is required. [[required-domains]] === Required domains