Merge branch 'soon' into checkup

pull/1/head
ansuz 3 years ago
commit 19863b8fb0

@ -63,12 +63,8 @@ server {
# Opt out of Google's FLoC Network # Opt out of Google's FLoC Network
add_header Permissions-Policy interest-cohort=(); add_header Permissions-Policy interest-cohort=();
set $coop '';
#if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
# Enable SharedArrayBuffer in Firefox (for .xlsx export) # Enable SharedArrayBuffer in Firefox (for .xlsx export)
add_header Cross-Origin-Resource-Policy cross-origin; add_header Cross-Origin-Resource-Policy cross-origin;
add_header Cross-Origin-Opener-Policy $coop;
add_header Cross-Origin-Embedder-Policy require-corp; add_header Cross-Origin-Embedder-Policy require-corp;
# Insert the path to your CryptPad repository root here # Insert the path to your CryptPad repository root here
@ -87,23 +83,23 @@ server {
add_header Cache-Control $cacheControl; add_header Cache-Control $cacheControl;
# CSS can be dynamically set inline, loaded from the same domain, or from $main_domain # CSS can be dynamically set inline, loaded from the same domain, or from $main_domain
set $styleSrc "'unsafe-inline' 'self' ${main_domain}"; set $styleSrc "'unsafe-inline' 'self' https://${main_domain}";
# connect-src restricts URLs which can be loaded using script interfaces # connect-src restricts URLs which can be loaded using script interfaces
set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain} https://${sandbox_domain}"; set $connectSrc "'self' https://${main_domain} https://${api_domain} blob: wss://${api_domain} https://${files_domain} https://${sandbox_domain}";
# fonts can be loaded from data-URLs or the main domain # fonts can be loaded from data-URLs or the main domain
set $fontSrc "'self' data: ${main_domain}"; set $fontSrc "'self' data: https://${main_domain}";
# images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking # images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking
set $imgSrc "'self' data: blob: ${main_domain} ${sandbox_domain}"; set $imgSrc "'self' data: blob: https://${main_domain}";
# frame-src specifies valid sources for nested browsing contexts. # frame-src specifies valid sources for nested browsing contexts.
# this prevents loading any iframes from anywhere other than the sandbox domain # this prevents loading any iframes from anywhere other than the sandbox domain
set $frameSrc "'self' ${sandbox_domain} blob:"; set $frameSrc "'self' https://${sandbox_domain} blob:";
# specifies valid sources for loading media using video or audio # specifies valid sources for loading media using video or audio
set $mediaSrc "'self' data: blob: ${main_domain} ${sandbox_domain}"; set $mediaSrc "blob:";
# defines valid sources for webworkers and nested browser contexts # defines valid sources for webworkers and nested browser contexts
# deprecated in favour of worker-src and frame-src # deprecated in favour of worker-src and frame-src
@ -111,10 +107,10 @@ server {
# specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. # specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
# supercedes child-src but is unfortunately not yet universally supported. # supercedes child-src but is unfortunately not yet universally supported.
set $workerSrc "https://${main_domain}"; set $workerSrc "'self'";
# script-src specifies valid sources for javascript, including inline handlers # script-src specifies valid sources for javascript, including inline handlers
set $scriptSrc "'self' resource: ${main_domain}"; set $scriptSrc "'self' resource: https://${main_domain}";
set $unsafe 0; set $unsafe 0;
# the following assets are loaded via the sandbox domain # the following assets are loaded via the sandbox domain
@ -132,7 +128,7 @@ server {
# privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
if ($unsafe) { if ($unsafe) {
set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: ${main_domain}"; set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
} }
# Finally, set all the rules you composed above. # Finally, set all the rules you composed above.

@ -16,9 +16,9 @@ Default.commonCSP = function (domain, sandbox) {
* it is recommended that you configure these fields to match the * it is recommended that you configure these fields to match the
* domain which will serve your CryptPad instance. * domain which will serve your CryptPad instance.
*/ */
"child-src " + domain, //'self' blob: " + domain + sandbox, "child-src " + domain,
// IE/Edge // IE/Edge
`frame-src 'self' blob:${sandbox}/* blob:${domain}/* ${sandbox}`, "frame-src 'self' blob: " + sandbox,
/* this allows connections over secure or insecure websockets /* this allows connections over secure or insecure websockets
if you are deploying to production, you'll probably want to remove if you are deploying to production, you'll probably want to remove
@ -32,7 +32,7 @@ Default.commonCSP = function (domain, sandbox) {
// for accounts.cryptpad.fr authentication and cross-domain iframe sandbox // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
"frame-ancestors *", "frame-ancestors *",
"worker-src 'self'", // + domain + sandbox, "worker-src 'self'",
"" ""
]; ];
}; };

@ -930,6 +930,8 @@ define([
$outer, $outer,
$sandbox, $sandbox,
/https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:', /https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:',
// XXX https://$files_domain
// XXX wss://$api_domain
], ],
'img-src': ["'self'", 'data:', 'blob:', $outer], 'img-src': ["'self'", 'data:', 'blob:', $outer],
@ -966,6 +968,11 @@ define([
$outer, $outer,
$sandbox, $sandbox,
/https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:', /https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:',
<<<<<<< HEAD
=======
// XXX https://$files_domain
// XXX wss://$api_domain
>>>>>>> soon
], ],
'img-src': ["'self'", 'data:', 'blob:', $outer], 'img-src': ["'self'", 'data:', 'blob:', $outer],
'media-src': ['blob:'], 'media-src': ['blob:'],

Loading…
Cancel
Save