From 294a444603ada0804755a9ccb39a8989623be5d2 Mon Sep 17 00:00:00 2001
From: ansuz <ansuz@transitiontech.ca>
Date: Thu, 27 Feb 2020 13:09:12 -0500
Subject: [PATCH] WIP removing defaults from the example config file

---
 config/config.example.js | 56 ++++------------------------------
 lib/defaults.js          | 65 ++++++++++++++++++++++++++++++++++++++++
 lib/load-config.js       |  2 +-
 3 files changed, 71 insertions(+), 52 deletions(-)
 create mode 100644 lib/defaults.js

diff --git a/config/config.example.js b/config/config.example.js
index 90e96a66a..e2bcea5bc 100644
--- a/config/config.example.js
+++ b/config/config.example.js
@@ -16,37 +16,7 @@ var _domain = 'http://localhost:3000/';
 // requiring admins to preserve it is unnecessarily confusing
 var domain = ' ' + _domain;
 
-// Content-Security-Policy
-var baseCSP = [
-    "default-src 'none'",
-    "style-src 'unsafe-inline' 'self' " + domain,
-    "font-src 'self' data:" + domain,
-
-    /*  child-src is used to restrict iframes to a set of allowed domains.
-     *  connect-src is used to restrict what domains can connect to the websocket.
-     *
-     *  it is recommended that you configure these fields to match the
-     *  domain which will serve your CryptPad instance.
-     */
-    "child-src blob: *",
-    // IE/Edge
-    "frame-src blob: *",
-
-    /*  this allows connections over secure or insecure websockets
-        if you are deploying to production, you'll probably want to remove
-        the ws://* directive, and change '*' to your domain
-     */
-    "connect-src 'self' ws: wss: blob:" + domain,
-
-    // data: is used by codemirror
-    "img-src 'self' data: blob:" + domain,
-    "media-src * blob:",
-
-    // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
-    "frame-ancestors *",
-    ""
-];
-
+var Default = require("../lib/defaults");
 
 module.exports = {
     /* =====================
@@ -113,34 +83,18 @@ module.exports = {
      *  These settings may vary widely depending on your needs
      *  Examples are provided below
      */
-    httpHeaders: {
-        "X-XSS-Protection": "1; mode=block",
-        "X-Content-Type-Options": "nosniff",
-        "Access-Control-Allow-Origin": "*"
-    },
+    httpHeaders: Default.httpHeaders(),
 
-    contentSecurity: baseCSP.join('; ') +
-        "script-src 'self'" + domain,
+    contentSecurity: Default.contentSecurity(domain),
 
     // CKEditor and OnlyOffice require significantly more lax content security policy in order to function.
-    padContentSecurity: baseCSP.join('; ') +
-        "script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
+    padContentSecurity: Default.padContentSecurity(domain),
 
     /*  Main pages
      *  add exceptions to the router so that we can access /privacy.html
      *  and other odd pages
      */
-    mainPages: [
-        'index',
-        'privacy',
-        'terms',
-        'about',
-        'contact',
-        'what-is-cryptpad',
-        'features',
-        'faq',
-        'maintenance'
-    ],
+    mainPages: Default.mainPages(),
 
     /* =====================
      *     Subscriptions
diff --git a/lib/defaults.js b/lib/defaults.js
new file mode 100644
index 000000000..f5d87b20b
--- /dev/null
+++ b/lib/defaults.js
@@ -0,0 +1,65 @@
+var Default = module.exports;
+
+Default.commonCSP = function (domain) {
+    // Content-Security-Policy
+    return [
+        "default-src 'none'",
+        "style-src 'unsafe-inline' 'self' " + domain,
+        "font-src 'self' data:" + domain,
+
+        /*  child-src is used to restrict iframes to a set of allowed domains.
+         *  connect-src is used to restrict what domains can connect to the websocket.
+         *
+         *  it is recommended that you configure these fields to match the
+         *  domain which will serve your CryptPad instance.
+         */
+        "child-src blob: *",
+        // IE/Edge
+        "frame-src blob: *",
+
+        /*  this allows connections over secure or insecure websockets
+            if you are deploying to production, you'll probably want to remove
+            the ws://* directive, and change '*' to your domain
+         */
+        "connect-src 'self' ws: wss: blob:" + domain,
+
+        // data: is used by codemirror
+        "img-src 'self' data: blob:" + domain,
+        "media-src * blob:",
+
+        // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
+        "frame-ancestors *",
+        ""
+    ];
+};
+
+Default.contentSecurity = function (domain) {
+    return Default.commonCSP(domain).join('; ') + "script-src 'self'" + domain;
+};
+
+Default.padContentSecurity = function (domain) {
+    return Default.commonCSP(domain).join('; ') + "script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain;
+};
+
+Default.httpHeaders = function () {
+    return {
+        "X-XSS-Protection": "1; mode=block",
+        "X-Content-Type-Options": "nosniff",
+        "Access-Control-Allow-Origin": "*"
+    };
+};
+
+Default.mainPages = function () {
+    return [
+        'index',
+        'privacy',
+        'terms',
+        'about',
+        'contact',
+        'what-is-cryptpad',
+        'features',
+        'faq',
+        'maintenance'
+    ];
+};
+
diff --git a/lib/load-config.js b/lib/load-config.js
index 0756c2df4..1c502226a 100644
--- a/lib/load-config.js
+++ b/lib/load-config.js
@@ -1,7 +1,7 @@
 /* jslint node: true */
 "use strict";
 var config;
-var configPath = process.env.CRYPTPAD_CONFIG || "../config/config";
+var configPath = process.env.CRYPTPAD_CONFIG || "../config/config.js";
 try {
     config = require(configPath);
     if (config.adminEmail === 'i.did.not.read.my.config@cryptpad.fr') {