dnrops
/
cryptpad
mirror of https://github.com/xwiki-labs/cryptpad
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove unsave-eval from draw.ios CSP

This commit is contained in:
Wolfgang Ginolas 2023-03-06 15:21:20 +01:00
parent 00f5f536a1
commit 67362fc2b9
2 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/defaults.js
View File

@ -47,6 +47,10 @@ Default.padContentSecurity = function (Env) {
return (Default.commonCSP(Env).join('; ') + "script-src 'self' 'unsafe-eval' 'unsafe-inline' resource: " + Env.httpUnsafeOrigin).replace(/\s+/g, ' ');
};
Default.drawioContentSecurity = function (Env) {
return (Default.commonCSP(Env).join('; ') + "script-src 'self' 'unsafe-inline' resource: " + Env.httpUnsafeOrigin).replace(/\s+/g, ' ');
};
Default.httpHeaders = function (Env) {
return {
"X-XSS-Protection": "1; mode=block",

15
server.js
View File

@ -39,7 +39,6 @@ var EXEMPT = [
/^\/common\/onlyoffice\/.*\.html.*/,
/^\/(sheet|presentation|doc)\/inner\.html.*/,
/^\/unsafeiframe\/inner\.html.*$/,
/^\/bower_components\/drawio\/src\/main\/webapp\/index.html.*$/,
];
var cacheHeaders = function (Env, key, headers) {
@ -62,9 +61,15 @@ var getHeaders = function (Env, type) {
headers = Default.httpHeaders(Env);
}
headers['Content-Security-Policy'] = type === 'office'?
Default.padContentSecurity(Env):
Default.contentSecurity(Env);
var csp;
if (type === 'office') {
csp = Default.padContentSecurity(Env);
} else if (type === 'drawio') {
csp = Default.drawioContentSecurity(Env);
} else {
csp = Default.contentSecurity(Env);
}
headers['Content-Security-Policy'] = csp;
if (Env.NO_SANDBOX) { // handles correct configuration for local development
// https://stackoverflow.com/questions/11531121/add-duplicate-http-response-headers-in-nodejs
@ -91,6 +96,8 @@ var setHeaders = function (req, res) {
type = 'office';
} else if (/^\/api\/(broadcast|config)/.test(req.url)) {
type = 'api';
} else if (/^\/bower_components\/drawio\/src\/main\/webapp\/index.html.*$/.test(req.url)) {
type = 'drawio'
} else {
type = 'standard';
}