From 1ef6a96cd1b15c3179f4f365eb25e73d89ecadd8 Mon Sep 17 00:00:00 2001
From: ansuz <ansuz@transitiontech.ca>
Date: Wed, 3 Mar 2021 11:11:06 +0530
Subject: [PATCH] avoid duplicating CSP headers in production environments

---
 server.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/server.js b/server.js
index 33ffff10d..f3ee71d0b 100644
--- a/server.js
+++ b/server.js
@@ -107,6 +107,9 @@ var setHeaders = (function () {
                 "Cross-Origin-Embedder-Policy": 'require-corp',
             });
 
+            // Don't set CSP headers on /api/config because they aren't necessary and they cause problems
+            // when duplicated by NGINX in production environments
+            if (/^\/api\/config/.test(req.url)) { return; }
             // targeted CSP, generic policies, maybe custom headers
             const h = [
                     /^\/common\/onlyoffice\/.*\/index\.html.*/,
@@ -162,8 +165,6 @@ app.use(function (req, res, next) {
         return void res.end();
     }
 
-    if (/^\/api\/config/.test(req.url)) { return void next(); }
-
     setHeaders(req, res);
     if (/[\?\&]ver=[^\/]+$/.test(req.url)) { res.setHeader("Cache-Control", "max-age=31536000"); }
     else { res.setHeader("Cache-Control", "no-cache"); }