DOC-3506: Add firewall whitelist instructions to AI and Doc Converters docs

Author: kemister85

modules/ROOT/pages/editor-and-features.adoc

@@ -56,15 +56,15 @@ include::partial$misc/admon-cloud-configured-options.adoc[]
 
 === Step 4: Forward proxy configuration
 
-Ensure that the following URLs are accessible via this proxy if the network has a forward proxy that controls access to the internet.
+If the network has a forward proxy that controls access to the internet, ensure that the following URLs are accessible:
 
 * All URLs where the editor is deployed.
 * All URLs where the plugins are deployed.
-* +https://imageproxy.tiny.cloud+
-* +https://hyperlinking.tiny.cloud+
-* +https://spelling.tiny.cloud+
+* `+*.tiny.cloud+` — covers all {cloudname} services, including the image proxy, link checker, spell checker, AI, and document converters.
 
-Ensure the `+tiny-api-key+` and `+tinymce-api-key+` headers are retained while requesting the list of above URLs.
+Ensure the `+tiny-api-key+` and `+tinymce-api-key+` headers are retained while requesting the above URLs.
+
+For the full list of {cloudname} service domains and required headers, see xref:tinymce-and-csp.adoc#firewall-and-proxy-allowlisting[Firewall and proxy allowlisting].
 
 === Step 5: Specifying a translation
 

modules/ROOT/pages/exportword.adoc

@@ -11,6 +11,8 @@
 
 include::partial$misc/admon-export-word-paid-addon-pricing.adoc[]
 
+include::partial$misc/admon-cloud-firewall.adoc[]
+
 The export to Microsoft Word feature collects the HTML generated with the `tinymce.editor.getContent()` method and combines it with the default editor content styles along with the styles provided in the plugin configuration. The combined content and styles are then processed by the included server-side converter service, which can be either self-hosted or cloud-based. Following this processing, a Word file is generated, which is subsequently returned to the user's browser, enabling them to save it in the Word format onto their disk or drive.
 
 == Interactive example

modules/ROOT/pages/features-only.adoc

@@ -57,12 +57,12 @@ The following is a complete example, where:
 
 == Step 3: Forward proxy configuration
 
-Ensure that the following URLs are accessible via this proxy if the network has a forward proxy that controls access to the internet.
+If the network has a forward proxy that controls access to the internet, ensure that the following URLs are accessible:
 
 * All URLs where the editor is deployed.
 * All URLs where the plugins are deployed.
-* +https://imageproxy.tiny.cloud+
-* +https://hyperlinking.tiny.cloud+
-* +https://spelling.tiny.cloud+
+* `+*.tiny.cloud+` — covers all {cloudname} services, including the image proxy, link checker, spell checker, AI, and document converters.
 
-Ensure the `+tiny-api-key+` and `+tinymce-api-key+` headers are retained while requesting the list of above URLs.
+Ensure the `+tiny-api-key+` and `+tinymce-api-key+` headers are retained while requesting the above URLs.
+
+For the full list of {cloudname} service domains and required headers, see xref:tinymce-and-csp.adoc#firewall-and-proxy-allowlisting[Firewall and proxy allowlisting].

modules/ROOT/pages/importword.adoc

@@ -13,6 +13,8 @@ include::partial$misc/admon-import-word-paid-addon-pricing.adoc[]
 
 The {pluginname} plugin lets you import `.docx` (Word document) or `.dotx` (Word template) files into the editor. The process preserves formatting and rich media.
 
+include::partial$misc/admon-cloud-firewall.adoc[]
+
 == Interactive example
 
 liveDemo::importword[]

modules/ROOT/pages/tinymce-and-csp.adoc

@@ -1,10 +1,44 @@
-= The TinyMCE Content Security Policy guide
+= {productname} Content Security Policy and allowed domains
 :navtitle: Content Security Policies (CSP)
-:description: Information and options related to using TinyMCE with a Content Security Policy (CSP)
-:keywords: security, csp
+:description: Content Security Policy directives, firewall allowlisting, and proxy configuration for {productname} and {cloudname} services
+:keywords: security, csp, firewall, allowlist, proxy, whitelist
 
 include::partial$misc/general-csp.adoc[]
 
+[[firewall-and-proxy-allowlisting]]
+== Firewall and proxy allowlisting
+
+Organizations operating behind a firewall or forward proxy that restricts outbound internet access must allowlist {cloudname} domains for cloud-hosted {productname} features to function.
+
+[[required-domains]]
+=== Required domains
+
+Allowlist the following wildcard domain to cover all {cloudname} services:
+
+`+*.tiny.cloud+`
+
+This single entry covers all cloud-hosted services, including but not limited to:
+
+* Editor loading and plugin delivery (`+cdn.tiny.cloud+`)
+* xref:tinymceai.adoc[TinyMCE AI] (`+tinymceai.api.tiny.cloud+`)
+* xref:importword.adoc[Import from Word] (`+importdocx.api.tiny.cloud+`)
+* xref:exportword.adoc[Export to Word] (`+exportdocx.api.tiny.cloud+`)
+* Image proxy (`+imageproxy.tiny.cloud+`)
+* Link checking (`+hyperlinking.tiny.cloud+`)
+* Spell checking (`+spelling.tiny.cloud+`)
+
+NOTE: Self-hosted deployments that do not connect to any {cloudname} services do not require this allowlisting. For self-hosted services such as on-premises document converters or AI, allowlist the domain where the self-hosted service is running instead.
+
+[[required-http-headers]]
+=== Required HTTP headers
+
+Ensure the proxy retains (does not strip) the following HTTP headers on requests to `+*.tiny.cloud+` domains:
+
+* `+tiny-api-key+`
+* `+tinymce-api-key+`
+
+These headers are required for API key validation and service authentication.
+
 == Content Security Policy related options
 
 include::partial$configuration/content_security_policy.adoc[leveloffset=+1]

modules/ROOT/pages/tinymceai.adoc

@@ -13,6 +13,8 @@ include::partial$misc/admon-premium-plugin.adoc[]
 
 The {pluginname} plugin integrates AI-assisted authoring with rich-text editing. Users can interact through Actions, Reviews, or Conversations that can use relevant context from multiple sources.
 
+include::partial$misc/admon-cloud-firewall.adoc[]
+
 [[interactive-example]]
 == Interactive example
 

modules/ROOT/partials/misc/admon-cloud-firewall.adoc

@@ -0,0 +1 @@
+NOTE: When using the cloud-hosted service behind a firewall or forward proxy, ensure `+*.tiny.cloud+` is allowlisted and that required HTTP headers are not stripped. See xref:tinymce-and-csp.adoc#firewall-and-proxy-allowlisting[Firewall and proxy allowlisting] for details.