WIP removing defaults from the example config file

pull/1/head
ansuz 5 years ago
parent 08941fa85b
commit 294a444603

@ -16,37 +16,7 @@ var _domain = 'http://localhost:3000/';
// requiring admins to preserve it is unnecessarily confusing // requiring admins to preserve it is unnecessarily confusing
var domain = ' ' + _domain; var domain = ' ' + _domain;
// Content-Security-Policy var Default = require("../lib/defaults");
var baseCSP = [
"default-src 'none'",
"style-src 'unsafe-inline' 'self' " + domain,
"font-src 'self' data:" + domain,
/* child-src is used to restrict iframes to a set of allowed domains.
* connect-src is used to restrict what domains can connect to the websocket.
*
* it is recommended that you configure these fields to match the
* domain which will serve your CryptPad instance.
*/
"child-src blob: *",
// IE/Edge
"frame-src blob: *",
/* this allows connections over secure or insecure websockets
if you are deploying to production, you'll probably want to remove
the ws://* directive, and change '*' to your domain
*/
"connect-src 'self' ws: wss: blob:" + domain,
// data: is used by codemirror
"img-src 'self' data: blob:" + domain,
"media-src * blob:",
// for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
"frame-ancestors *",
""
];
module.exports = { module.exports = {
/* ===================== /* =====================
@ -113,34 +83,18 @@ module.exports = {
* These settings may vary widely depending on your needs * These settings may vary widely depending on your needs
* Examples are provided below * Examples are provided below
*/ */
httpHeaders: { httpHeaders: Default.httpHeaders(),
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Origin": "*"
},
contentSecurity: baseCSP.join('; ') + contentSecurity: Default.contentSecurity(domain),
"script-src 'self'" + domain,
// CKEditor and OnlyOffice require significantly more lax content security policy in order to function. // CKEditor and OnlyOffice require significantly more lax content security policy in order to function.
padContentSecurity: baseCSP.join('; ') + padContentSecurity: Default.padContentSecurity(domain),
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
/* Main pages /* Main pages
* add exceptions to the router so that we can access /privacy.html * add exceptions to the router so that we can access /privacy.html
* and other odd pages * and other odd pages
*/ */
mainPages: [ mainPages: Default.mainPages(),
'index',
'privacy',
'terms',
'about',
'contact',
'what-is-cryptpad',
'features',
'faq',
'maintenance'
],
/* ===================== /* =====================
* Subscriptions * Subscriptions

@ -0,0 +1,65 @@
var Default = module.exports;
Default.commonCSP = function (domain) {
// Content-Security-Policy
return [
"default-src 'none'",
"style-src 'unsafe-inline' 'self' " + domain,
"font-src 'self' data:" + domain,
/* child-src is used to restrict iframes to a set of allowed domains.
* connect-src is used to restrict what domains can connect to the websocket.
*
* it is recommended that you configure these fields to match the
* domain which will serve your CryptPad instance.
*/
"child-src blob: *",
// IE/Edge
"frame-src blob: *",
/* this allows connections over secure or insecure websockets
if you are deploying to production, you'll probably want to remove
the ws://* directive, and change '*' to your domain
*/
"connect-src 'self' ws: wss: blob:" + domain,
// data: is used by codemirror
"img-src 'self' data: blob:" + domain,
"media-src * blob:",
// for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
"frame-ancestors *",
""
];
};
Default.contentSecurity = function (domain) {
return Default.commonCSP(domain).join('; ') + "script-src 'self'" + domain;
};
Default.padContentSecurity = function (domain) {
return Default.commonCSP(domain).join('; ') + "script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain;
};
Default.httpHeaders = function () {
return {
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Origin": "*"
};
};
Default.mainPages = function () {
return [
'index',
'privacy',
'terms',
'about',
'contact',
'what-is-cryptpad',
'features',
'faq',
'maintenance'
];
};

@ -1,7 +1,7 @@
/* jslint node: true */ /* jslint node: true */
"use strict"; "use strict";
var config; var config;
var configPath = process.env.CRYPTPAD_CONFIG || "../config/config"; var configPath = process.env.CRYPTPAD_CONFIG || "../config/config.js";
try { try {
config = require(configPath); config = require(configPath);
if (config.adminEmail === 'i.did.not.read.my.config@cryptpad.fr') { if (config.adminEmail === 'i.did.not.read.my.config@cryptpad.fr') {

Loading…
Cancel
Save