mirror of https://github.com/xwiki-labs/cryptpad
Update CSP for OnlyOffice apps
This commit is contained in:
parent
9ca7d504d2
commit
d5f98c916b
|
@ -88,6 +88,28 @@ module.exports = {
|
|||
"img-src * blob:",
|
||||
].join('; '),
|
||||
|
||||
// OnlyOffice requires even more lax content security policy in order to function.
|
||||
ooContentSecurity: [
|
||||
"default-src 'none'",
|
||||
"style-src 'unsafe-inline' 'self'" + domain,
|
||||
// Unsafe inline, unsafe-eval are needed for ckeditor :(
|
||||
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
|
||||
"font-src 'self'" + domain,
|
||||
|
||||
/* See above under 'contentSecurity' as to how these values should be
|
||||
* configured for best effect.
|
||||
*/
|
||||
"child-src *",
|
||||
// IE/Edge
|
||||
"frame-src *",
|
||||
|
||||
// see the comment above in the 'contentSecurity' section
|
||||
"connect-src 'self' blob: ws: wss:" + domain,
|
||||
|
||||
// (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
|
||||
"img-src * blob: data:",
|
||||
].join('; '),
|
||||
|
||||
httpPort: 3000,
|
||||
|
||||
// This is for allowing the cross-domain iframe to function when developing
|
||||
|
|
13
server.js
13
server.js
|
@ -75,9 +75,20 @@ var setHeaders = (function () {
|
|||
if (config.padContentSecurity) {
|
||||
padHeaders['Content-Security-Policy'] = clone(config.padContentSecurity);
|
||||
}
|
||||
const ooHeaders = clone(headers);
|
||||
if (config.ooContentSecurity) {
|
||||
ooHeaders['Content-Security-Policy'] = clone(config.ooContentSecurity);
|
||||
}
|
||||
if (Object.keys(headers).length) {
|
||||
return function (req, res) {
|
||||
const h = /^\/pad(2)?\/inner\.html.*/.test(req.url) ? padHeaders : headers;
|
||||
const h = [/^\/pad(2)?\/inner\.html.*/].some((regex) => {
|
||||
return regex.test(req.url)
|
||||
}) ? padHeaders : ([
|
||||
/^\/sheet\/inner\.html.*/,
|
||||
/^\/common\/onlyoffice\/.*\/index\.html.*/
|
||||
].some((regex) => {
|
||||
return regex.test(req.url)
|
||||
}) ? ooHeaders : headers);
|
||||
for (let header in h) { res.setHeader(header, h[header]); }
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue