Do you want to: Report a bug
Description:
Summary:
When using the fetch() API within a document macro to make a request to an external, cross-origin API, the Authorization header is being stripped from the outgoing request. This makes it impossible to authenticate with any external service that requires a bearer token or similar authorization header, resulting in a 401 Unauthorized error from the server.
Steps to Reproduce:
-
Create any document in the OnlyOffice Desktop Editor.
-
Go to the Plugins tab and click Macros.
-
Create a new macro and paste the following code:
(I tried it agains my own api but I’m providing a public api example)
curl:
curl --request GET \
--url 'https://api.themoviedb.org/3/movie/11' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiI5NWY3YjEzMDU5Yjc3Y2Y0NzdjZDQ0YzgwMWNjY2Y5ZCIsIm5iZiI6MTcwMTIzMDQ4NS40NDMsInN1YiI6IjY1NjZiNzk1ODlkOTdmMDBhYjE2MzdkMiIsInNjb3BlcyI6WyJhcGlfcmVhZCJdLCJ2ZXJzaW9uIjoxfQ.CEIa1g1K99ABHBLBuT4jEhseSZaYmEeuxkDWalnIC0s'
macro:
(async function() {
try {
// This fetch call uses a standard Bearer Token for a public API
const response = await fetch('https://api.themoviedb.org/3/movie/11', {
method: 'GET',
headers: {
'Authorization': 'Bearer eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiI5NWY3YjEzMDU5Yjc3Y2Y0NzdjZDQ0YzgwMWNjY2Y5ZCIsIm5iZiI6MTcwMTIzMDQ4NS40NDMsInN1YiI6IjY1NjZiNzk1ODlkOTdmMDBhYjE2MzdkMiIsInNjb3BlcyI6WyJhcGlfcmVhZCJdLCJ2ZXJzaW9uIjoxfQ.CEIa1g1K99ABHBLBuT4jEhseSZaYmEeuxkDWalnIC0s'
}
});
const responseText = await response.text();
// Expected status: 200
// Actual status: 401
console.log('Status:', response.status);
// The response will be an authentication error from the server
console.log('Response:', responseText);
} catch (error) {
console.error('Error during fetch:', error.message);
}
})();
-
Open the developer tools for the OnlyOffice Desktop Editor to monitor network traffic.
-
Run the macro.
-
Observe the network request sent to https://api.themoviedb.org.
Expected Behavior:
The HTTP request should be sent with the Authorization header included, exactly as specified in the macro’s headers object. The MovieDB server should receive the bearer token, validate it, and return a 200 OK status with the movie data.
Actual Behavior:
The Authorization header is completely missing from the actual HTTP request that is sent. The server does not receive the authentication token and correctly returns a 401 Unauthorized error.
Evidence (Observed Request Headers):
:authority: api.themoviedb.org
:method: GET
:path: /3/movie/11
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
origin: file://
sec-ch-ua: "Chromium";v="109"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Mac OS X"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 AscDesktopEditor/9.0.3.29 Safari/537.36
The following headers are what the server actually receives from the OnlyOffice client. As you can see, the Authorization header is not present.
Environment:
-
Product: OnlyOffice Desktop Editors
-
Version: 9.0.3.29 (based on User-Agent string)
-
Operating System: macOS
-
Request Context: The request originates from file://, indicating a local document context making a cross-site request.
This behavior appears to be caused by a security policy within the editor’s underlying framework that is too aggressively stripping headers for cross-site requests. This prevents macros from integrating with a vast number of modern, secure, token-based web APIs and is a significant limitation for developers wishing to extend OnlyOffice functionality.
OS version: I tried MacOS Sequoia 15.5 (Chip M) and Windows 11 latesd edition
App version: Mac 9.0.3 - Windows Online installer (For Windows 11 / 10 / 8.1 / 8 / 7) Version: 2.0.0
Downloaded from: ONLYOFFICE website
Additional information:
If I run the macro from the only editor (Angular) it works without problem.
Angular
