dnrops
/
cryptpad
mirror of https://github.com/xwiki-labs/cryptpad
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

apply strict controls for postMessage and tighten up blob CSP

This commit is contained in:
ansuz 2022-02-11 19:22:03 +05:30
parent 06f75f7769
commit c0b379b535
7 changed files with 17 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/defaults.js
View File

@ -18,7 +18,7 @@ Default.commonCSP = function (domain, sandbox) {
*/
"child-src 'self' blob: " + domain + sandbox,
// IE/Edge
"frame-src 'self' blob: " + domain + sandbox,
`frame-src 'self' blob:${sandbox}/* blob:${domain}/* ${domain} ${sandbox}`,
/* this allows connections over secure or insecure websockets
if you are deploying to production, you'll probably want to remove

2
www/common/onlyoffice/inner.js
View File

@ -1361,7 +1361,7 @@ define([
msgEv.fire(msg);
});
var postMsg = function (data) {
iframe.postMessage(data, '*');
iframe.postMessage(data, ApiConfig.httpSafeOrigin);
};
Channel.create(msgEv, postMsg, function (chan) {
APP.chan = chan;

13
www/common/outer/worker-channel.js
View File

@ -1,8 +1,9 @@
// This file provides the API for the channel for talking to and from the sandbox iframe.
define([
//'/common/sframe-protocol.js',
'/common/common-util.js'
], function (/*SFrameProtocol,*/ Util) {
'/common/common-util.js',
'/api/config',
], function (/*SFrameProtocol,*/ Util, ApiConfig) {
var mkTxid = function () {
return Math.random().toString(16).replace('0.', '') + Math.random().toString(16).replace('0.', '');
@ -156,9 +157,17 @@ define([
});
};
var trusted = [
ApiConfig.httpUnsafeOrigin,
ApiConfig.httpSafeOrigin,
'', // sharedworkers
];
onMsg.reg(function (msg) {
if (!chanLoaded) { return; }
if (!msg.data || msg.data === '_READY') { return; }
if (!trusted.includes(msg.origin)) { return; }
var data = typeof(msg.data) === "object" ? msg.data : JSON.parse(msg.data);
if (typeof(data.ack) !== "undefined") {
if (acks[data.txid]) { acks[data.txid](!data.ack); }

2
www/common/sframe-common-outer.js
View File

@ -170,7 +170,7 @@ define([
var iframe = $('#sbox-iframe')[0].contentWindow;
var postMsg = function (data) {
try {
iframe.postMessage(data, '*');
iframe.postMessage(data, ApiConfig.httpSafeOrigin || window.location.origin);
} catch (err) {
console.error(err, data);
if (data && data.error && data.error instanceof Error) {

2
www/common/sframe-common.js
View File

@ -762,7 +762,7 @@ define([
msgEv.fire(msg);
});
var postMsg = function (data) {
iframe.postMessage(data, '*');
iframe.postMessage(data, ApiConfig.httpUnsafeOrigin);
};
SFrameChannel.create(msgEv, postMsg, waitFor(function (sfc) { ctx.sframeChan = sfc; }));
}).nThen(function (waitFor) {

2
www/secureiframe/main.js
View File

@ -57,7 +57,7 @@ define([
var msgEv = Utils.Util.mkEvent();
var iframe = $('#sbox-secure-iframe')[0].contentWindow;
var postMsg = function (data) {
iframe.postMessage(data, '*');
iframe.postMessage(data, ApiConfig.httpSafeOrigin);
};
var w = waitFor();
var whenReady = function (msg) {

2
www/unsafeiframe/main.js
View File

@ -60,7 +60,7 @@ define([
var msgEv = Utils.Util.mkEvent();
var iframe = $('#sbox-unsafe-iframe')[0].contentWindow;
var postMsg = function (data) {
iframe.postMessage(data, '*');
iframe.postMessage(data, ApiConfig.httpUnsafeOrigin);
};
var w = waitFor();
var whenReady = function (msg) {