mirror of https://github.com/xwiki-labs/cryptpad
Update CSP for OnlyOffice apps
This commit is contained in:
parent
9ca7d504d2
commit
d5f98c916b
|
@ -88,6 +88,28 @@ module.exports = {
|
||||||
"img-src * blob:",
|
"img-src * blob:",
|
||||||
].join('; '),
|
].join('; '),
|
||||||
|
|
||||||
|
// OnlyOffice requires even more lax content security policy in order to function.
|
||||||
|
ooContentSecurity: [
|
||||||
|
"default-src 'none'",
|
||||||
|
"style-src 'unsafe-inline' 'self'" + domain,
|
||||||
|
// Unsafe inline, unsafe-eval are needed for ckeditor :(
|
||||||
|
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
|
||||||
|
"font-src 'self'" + domain,
|
||||||
|
|
||||||
|
/* See above under 'contentSecurity' as to how these values should be
|
||||||
|
* configured for best effect.
|
||||||
|
*/
|
||||||
|
"child-src *",
|
||||||
|
// IE/Edge
|
||||||
|
"frame-src *",
|
||||||
|
|
||||||
|
// see the comment above in the 'contentSecurity' section
|
||||||
|
"connect-src 'self' blob: ws: wss:" + domain,
|
||||||
|
|
||||||
|
// (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
|
||||||
|
"img-src * blob: data:",
|
||||||
|
].join('; '),
|
||||||
|
|
||||||
httpPort: 3000,
|
httpPort: 3000,
|
||||||
|
|
||||||
// This is for allowing the cross-domain iframe to function when developing
|
// This is for allowing the cross-domain iframe to function when developing
|
||||||
|
|
13
server.js
13
server.js
|
@ -75,9 +75,20 @@ var setHeaders = (function () {
|
||||||
if (config.padContentSecurity) {
|
if (config.padContentSecurity) {
|
||||||
padHeaders['Content-Security-Policy'] = clone(config.padContentSecurity);
|
padHeaders['Content-Security-Policy'] = clone(config.padContentSecurity);
|
||||||
}
|
}
|
||||||
|
const ooHeaders = clone(headers);
|
||||||
|
if (config.ooContentSecurity) {
|
||||||
|
ooHeaders['Content-Security-Policy'] = clone(config.ooContentSecurity);
|
||||||
|
}
|
||||||
if (Object.keys(headers).length) {
|
if (Object.keys(headers).length) {
|
||||||
return function (req, res) {
|
return function (req, res) {
|
||||||
const h = /^\/pad(2)?\/inner\.html.*/.test(req.url) ? padHeaders : headers;
|
const h = [/^\/pad(2)?\/inner\.html.*/].some((regex) => {
|
||||||
|
return regex.test(req.url)
|
||||||
|
}) ? padHeaders : ([
|
||||||
|
/^\/sheet\/inner\.html.*/,
|
||||||
|
/^\/common\/onlyoffice\/.*\/index\.html.*/
|
||||||
|
].some((regex) => {
|
||||||
|
return regex.test(req.url)
|
||||||
|
}) ? ooHeaders : headers);
|
||||||
for (let header in h) { res.setHeader(header, h[header]); }
|
for (let header in h) { res.setHeader(header, h[header]); }
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue