diff --git a/.jshintignore b/.jshintignore index aad5dea36..aab1b485b 100644 --- a/.jshintignore +++ b/.jshintignore @@ -11,3 +11,6 @@ www/common/hyperscript.js www/common/tippy.min.js www/pad/wysiwygarea-plugin.js +www/pad2/wysiwygarea-plugin.js + +www/common/media-tag-nacl.min.js diff --git a/bower.json b/bower.json index 0880e56ef..9c88d0033 100644 --- a/bower.json +++ b/bower.json @@ -23,7 +23,7 @@ "components-font-awesome": "^4.6.3", "ckeditor": "~4.7", "codemirror": "^5.19.0", - "requirejs": "2.1.15", + "requirejs": "2.3.5", "marked": "0.3.5", "rangy": "rangy-release#~1.3.0", "json.sortify": "~2.1.0", @@ -40,6 +40,7 @@ "less": "^2.7.2", "bootstrap": "#v4.0.0-alpha.6", "diff-dom": "2.1.1", + "nthen": "^0.1.5", "open-sans-fontface": "^1.4.2" } } diff --git a/config.example.js b/config.example.js index 7af6cf8af..ce38b5c3a 100644 --- a/config.example.js +++ b/config.example.js @@ -2,6 +2,7 @@ /* globals module */ +var domain = ' http://localhost:3000/'; module.exports = { // the address you want to bind to, :: means all ipv4 and ipv6 addresses @@ -18,14 +19,14 @@ module.exports = { httpHeaders: { "X-XSS-Protection": "1; mode=block", "X-Content-Type-Options": "nosniff", - 'X-Frame-Options': 'SAMEORIGIN', + "Access-Control-Allow-Origin": "*" }, contentSecurity: [ "default-src 'none'", - "style-src 'unsafe-inline' 'self'", - "script-src 'self'", - "font-src 'self' data:", + "style-src 'unsafe-inline' 'self' " + domain, + "script-src 'self'" + domain, + "font-src 'self' data:" + domain, /* child-src is used to restrict iframes to a set of allowed domains. * connect-src is used to restrict what domains can connect to the websocket. @@ -33,7 +34,9 @@ module.exports = { * it is recommended that you configure these fields to match the * domain which will serve your CryptPad instance. */ - "child-src 'self' blob: *", + "child-src blob: *", + // IE/Edge + "frame-src blob: *", "media-src * blob:", @@ -41,30 +44,32 @@ module.exports = { if you are deploying to production, you'll probably want to remove the ws://* directive, and change '*' to your domain */ - "connect-src 'self' ws: wss: blob:", + "connect-src 'self' ws: wss: blob:" + domain, // data: is used by codemirror - "img-src 'self' data: blob:", + "img-src 'self' data: blob:" + domain, - // for accounts.cryptpad.fr authentication - "frame-ancestors 'self' accounts.cryptpad.fr", + // for accounts.cryptpad.fr authentication and pad2 cross-domain iframe sandbox + "frame-ancestors *", ].join('; '), // CKEditor requires significantly more lax content security policy in order to function. padContentSecurity: [ "default-src 'none'", - "style-src 'unsafe-inline' 'self'", + "style-src 'unsafe-inline' 'self'" + domain, // Unsafe inline, unsafe-eval are needed for ckeditor :( - "script-src 'self' 'unsafe-eval' 'unsafe-inline'", - "font-src 'self'", + "script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain, + "font-src 'self'" + domain, /* See above under 'contentSecurity' as to how these values should be * configured for best effect. */ - "child-src 'self' *", + "child-src *", + // IE/Edge + "frame-src *", // see the comment above in the 'contentSecurity' section - "connect-src 'self' ws: wss:", + "connect-src 'self' ws: wss:" + domain, // (insecure remote) images are included by users of the wysiwyg who embed photos in their pads "img-src * blob:", @@ -72,6 +77,13 @@ module.exports = { httpPort: 3000, + // This is for allowing the cross-domain iframe to function when developing + httpSafePort: 3001, + + // This is for deployment in production, CryptPad uses a separate origin (domain) to host the + // cross-domain iframe. It can simply host the same content as CryptPad. + // httpSafeOrigin: "https://some-other-domain.xyz", + /* your server's websocket url is configurable * (default: '/cryptpad_websocket') * diff --git a/customize.dist/about.html b/customize.dist/about.html index 03032969b..31d4c99f8 100644 --- a/customize.dist/about.html +++ b/customize.dist/about.html @@ -6,7 +6,7 @@ - +