From 0f46869217434186c8ec7c1fa7d5b7c2732e9f9e Mon Sep 17 00:00:00 2001 From: ansuz Date: Thu, 10 Feb 2022 17:11:17 +0530 Subject: [PATCH] WIP update recommended production CSP values --- docs/example.nginx.conf | 22 +++++++++------------- www/checkup/main.js | 4 ++++ 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/docs/example.nginx.conf b/docs/example.nginx.conf index 6a9d268e8..4dc2d5068 100644 --- a/docs/example.nginx.conf +++ b/docs/example.nginx.conf @@ -63,12 +63,8 @@ server { # Opt out of Google's FLoC Network add_header Permissions-Policy interest-cohort=(); - set $coop ''; - #if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; } - # Enable SharedArrayBuffer in Firefox (for .xlsx export) add_header Cross-Origin-Resource-Policy cross-origin; - add_header Cross-Origin-Opener-Policy $coop; add_header Cross-Origin-Embedder-Policy require-corp; # Insert the path to your CryptPad repository root here @@ -87,23 +83,23 @@ server { add_header Cache-Control $cacheControl; # CSS can be dynamically set inline, loaded from the same domain, or from $main_domain - set $styleSrc "'unsafe-inline' 'self' ${main_domain}"; + set $styleSrc "'unsafe-inline' 'self' https://${main_domain}"; # connect-src restricts URLs which can be loaded using script interfaces - set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain} https://${sandbox_domain}"; + set $connectSrc "'self' https://${main_domain} https://${api_domain} blob: wss://${api_domain} https://${files_domain} https://${sandbox_domain}"; # fonts can be loaded from data-URLs or the main domain - set $fontSrc "'self' data: ${main_domain}"; + set $fontSrc "'self' data: https://${main_domain}"; # images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking - set $imgSrc "'self' data: blob: ${main_domain} ${sandbox_domain}"; + set $imgSrc "'self' data: blob: https://${main_domain}"; # frame-src specifies valid sources for nested browsing contexts. # this prevents loading any iframes from anywhere other than the sandbox domain - set $frameSrc "'self' ${sandbox_domain} blob:"; + set $frameSrc "'self' https://${sandbox_domain} blob:"; # specifies valid sources for loading media using video or audio - set $mediaSrc "'self' data: blob: ${main_domain} ${sandbox_domain}"; + set $mediaSrc "blob:"; # defines valid sources for webworkers and nested browser contexts # deprecated in favour of worker-src and frame-src @@ -111,10 +107,10 @@ server { # specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. # supercedes child-src but is unfortunately not yet universally supported. - set $workerSrc "https://${main_domain}"; + set $workerSrc "'self'"; # script-src specifies valid sources for javascript, including inline handlers - set $scriptSrc "'self' resource: ${main_domain}"; + set $scriptSrc "'self' resource: https://${main_domain}"; set $unsafe 0; # the following assets are loaded via the sandbox domain @@ -132,7 +128,7 @@ server { # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied if ($unsafe) { - set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: ${main_domain}"; + set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}"; } # Finally, set all the rules you composed above. diff --git a/www/checkup/main.js b/www/checkup/main.js index e54b0b98c..fa096cee9 100644 --- a/www/checkup/main.js +++ b/www/checkup/main.js @@ -930,6 +930,8 @@ define([ $outer, $sandbox, /https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:', + // XXX https://$files_domain + // XXX wss://$api_domain ], 'img-src': ["'self'", 'data:', 'blob:', $outer], @@ -966,6 +968,8 @@ define([ $outer, $sandbox, /https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:', + // XXX https://$files_domain + // XXX wss://$api_domain ], 'img-src': ["'self'", 'data:', 'blob:', $outer], 'media-src': ['blob:'],