From 0fe62f8c751bf1b085b654362a4a217ae38379f4 Mon Sep 17 00:00:00 2001 From: ansuz Date: Wed, 12 Oct 2016 13:03:36 +0200 Subject: [PATCH] make wss CSP headers configurable again --- config.js.dist | 5 +++++ server.js | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/config.js.dist b/config.js.dist index 5f942bbfb..1edfb7f36 100644 --- a/config.js.dist +++ b/config.js.dist @@ -25,6 +25,11 @@ module.exports = { */ //websocketPort: 3000, + /* If Cryptpad is proxied without using https, the server needs to know. + * Specify 'useSecureWebsockets: true' so that it can send + * Content Security Policy Headers that prevent http and https from mixing + */ + useSecureWebsockets: false, /* Cryptpad can log activity to stdout * This may be useful for debugging diff --git a/server.js b/server.js index b6dc9d9dd..bc17cccbf 100644 --- a/server.js +++ b/server.js @@ -24,7 +24,7 @@ app.use(function (req, res, next) { if (config.websocketPort) { host = host.replace(/\:[0-9]+/, ':' + config.websocketPort); } - var proto = httpsOpts ? 'wss://' : 'ws://'; + var proto = (httpsOpts || config.useSecureWebsockets) ? 'wss://' : 'ws://'; res.setHeader('Content-Security-Policy', [ "default-src 'none'", "style-src 'unsafe-inline' 'self'",