Update draw.io dependency and remove unneeded CSP headers

2023-10-17 14:09:07 +02:00 · 2023-10-17 14:09:07 +02:00 · 7f55498bcc
parent 2611785a50
commit 7f55498bcc
7 changed files with 6 additions and 14 deletions
--- a/docs/example-advanced.nginx.conf
+++ b/docs/example-advanced.nginx.conf
@ -163,8 +163,8 @@ server {
    if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }

    # draw.io uses inline script tags in it's index.html. The hashes are added here.
-    if ($uri ~ ^\/components\/drawio-cp\/src\/main\/webapp\/index.html.*$) {
-        set $scriptSrc "'self' 'sha256-dLMFD7ijAw6AVaqecS7kbPcFFzkxQ+yeZSsKpOdLxps=' 'sha256-6g514VrT/cZFZltSaKxIVNFF46+MFaTSDTPB8WfYK+c=' resource: https://${main_domain}";
+    if ($uri ~ ^\/components\/drawio\/src\/main\/webapp\/index.html.*$) {
+        set $scriptSrc "'self' resource: https://${main_domain}";
    }

    # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
--- a/lib/defaults.js
+++ b/lib/defaults.js
@ -48,10 +48,6 @@ Default.padContentSecurity = function (Env) {
    return (Default.commonCSP(Env).join('; ') + "script-src 'self' 'unsafe-eval' 'unsafe-inline' resource: " + Env.httpUnsafeOrigin).replace(/\s+/g, ' ');
 };

-Default.diagramContentSecurity = function (Env) {
-    return (Default.commonCSP(Env).join('; ') + "script-src 'self' 'sha256-dLMFD7ijAw6AVaqecS7kbPcFFzkxQ+yeZSsKpOdLxps=' 'sha256-6g514VrT/cZFZltSaKxIVNFF46+MFaTSDTPB8WfYK+c=' resource: " + Env.httpUnsafeOrigin).replace(/\s+/g, ' ');
-};
-
 Default.httpHeaders = function (Env) {
    return {
        "X-XSS-Protection": "1; mode=block",
--- a/lib/http-worker.js
+++ b/lib/http-worker.js
@ -123,8 +123,6 @@ var getHeaders = function (Env, type) {
    var csp;
    if (type === 'office') {
        csp = Default.padContentSecurity(Env);
-    } else if (type === 'diagram') {
-        csp = Default.diagramContentSecurity(Env);
    } else {
        csp = Default.contentSecurity(Env);
    }
@ -147,8 +145,6 @@ var setHeaders = function (req, res) {
        type = 'office';
    } else if (/^\/api\/(broadcast|config)/.test(req.url)) {
        type = 'api';
-    } else if (/^\/components\/drawio-cp\/src\/main\/webapp\/index.html.*$/.test(req.url)) {
-        type = 'diagram';
    } else {
        type = 'standard';
    }
--- a/package-lock.json
+++ b/package-lock.json
@ -23,7 +23,7 @@
        "components-font-awesome": "^4.6.3",
        "croppie": "^2.5.0",
        "dragula": "3.7.2",
-        "drawio-cp": "github:cryptpad/drawio-npm#npm-21.8.2",
+        "drawio": "github:cryptpad/drawio-npm#npm-21.8.2",
        "express": "~4.18.2",
        "file-saver": "1.3.1",
        "fs-extra": "^7.0.0",
--- a/package.json
+++ b/package.json
@ -59,7 +59,7 @@
    "requirejs-plugins": "^1.0.2",
    "scrypt-async": "1.2.0",
    "sortablejs": "^1.6.0",
-    "drawio-cp": "github:cryptpad/drawio-npm#npm-21.8.2",
+    "drawio": "github:cryptpad/drawio-npm#npm-21.8.2",
    "pako": "^2.1.0",
    "x2js": "^3.4.4"
  },
--- a/scripts/copy-components.js
+++ b/scripts/copy-components.js
@ -40,7 +40,7 @@ Fse.rmSync(oldComponentsPath, { recursive: true, force: true });
    "saferphore",
    "nthen",
    "netflux-websocket",
-    "drawio-cp",
+    "drawio",
    "pako",
    "x2js"
 ].forEach(l => {
--- a/www/diagram/inner.js
+++ b/www/diagram/inner.js
@ -178,7 +178,7 @@ define([
        // starting the CryptPad framework
        framework.start();

-        drawioFrame.src = '/components/drawio-cp/src/main/webapp/index.html?'
+        drawioFrame.src = '/components/drawio/src/main/webapp/index.html?'
            + new URLSearchParams({
                test: 1,
                stealth: 1,