dnrops
/
cryptpad
mirror of https://github.com/xwiki-labs/cryptpad
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update CSP for OnlyOffice apps

This commit is contained in:
yflory 2019-01-28 12:18:18 +01:00
parent 9ca7d504d2
commit d5f98c916b
2 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
config.example.js
View File

@ -88,6 +88,28 @@ module.exports = {
"img-src * blob:", "img-src * blob:",
].join('; '), ].join('; '),
// OnlyOffice requires even more lax content security policy in order to function.
ooContentSecurity: [
"default-src 'none'",
"style-src 'unsafe-inline' 'self'" + domain,
// Unsafe inline, unsafe-eval are needed for ckeditor :(
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
"font-src 'self'" + domain,
/* See above under 'contentSecurity' as to how these values should be
* configured for best effect.
*/
"child-src *",
// IE/Edge
"frame-src *",
// see the comment above in the 'contentSecurity' section
"connect-src 'self' blob: ws: wss:" + domain,
// (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
"img-src * blob: data:",
].join('; '),
httpPort: 3000, httpPort: 3000,
// This is for allowing the cross-domain iframe to function when developing // This is for allowing the cross-domain iframe to function when developing

13
server.js
View File

@ -75,9 +75,20 @@ var setHeaders = (function () {
if (config.padContentSecurity) { if (config.padContentSecurity) {
padHeaders['Content-Security-Policy'] = clone(config.padContentSecurity); padHeaders['Content-Security-Policy'] = clone(config.padContentSecurity);
} }
const ooHeaders = clone(headers);
if (config.ooContentSecurity) {
ooHeaders['Content-Security-Policy'] = clone(config.ooContentSecurity);
}
if (Object.keys(headers).length) { if (Object.keys(headers).length) {
return function (req, res) { return function (req, res) {
const h = /^\/pad(2)?\/inner\.html.*/.test(req.url) ? padHeaders : headers; const h = [/^\/pad(2)?\/inner\.html.*/].some((regex) => {
return regex.test(req.url)
}) ? padHeaders : ([
/^\/sheet\/inner\.html.*/,
/^\/common\/onlyoffice\/.*\/index\.html.*/
].some((regex) => {
return regex.test(req.url)
}) ? ooHeaders : headers);
for (let header in h) { res.setHeader(header, h[header]); } for (let header in h) { res.setHeader(header, h[header]); }
}; };
} }