|
|
|
|
@ -2,6 +2,7 @@ var Default = module.exports;
|
|
|
|
|
|
|
|
|
|
Default.commonCSP = function (domain, sandbox) {
|
|
|
|
|
domain = ' ' + domain;
|
|
|
|
|
sandbox = (sandbox && sandbox !== domain? ' ' + sandbox: '');
|
|
|
|
|
// Content-Security-Policy
|
|
|
|
|
|
|
|
|
|
return [
|
|
|
|
|
@ -15,19 +16,19 @@ Default.commonCSP = function (domain, sandbox) {
|
|
|
|
|
* it is recommended that you configure these fields to match the
|
|
|
|
|
* domain which will serve your CryptPad instance.
|
|
|
|
|
*/
|
|
|
|
|
"child-src blob: *",
|
|
|
|
|
"child-src 'self' blob: " + domain + sandbox,
|
|
|
|
|
// IE/Edge
|
|
|
|
|
"frame-src blob: *",
|
|
|
|
|
"frame-src 'self' blob: " + domain + sandbox,
|
|
|
|
|
|
|
|
|
|
/* this allows connections over secure or insecure websockets
|
|
|
|
|
if you are deploying to production, you'll probably want to remove
|
|
|
|
|
the ws://* directive, and change '*' to your domain
|
|
|
|
|
*/
|
|
|
|
|
"connect-src 'self' ws: wss: blob: " + domain + (sandbox && sandbox !== domain? ' ' + sandbox: ''),
|
|
|
|
|
"connect-src 'self' ws: wss: blob: " + domain + sandbox,
|
|
|
|
|
|
|
|
|
|
// data: is used by codemirror
|
|
|
|
|
"img-src 'self' data: blob:" + domain,
|
|
|
|
|
"media-src * blob:",
|
|
|
|
|
"media-src blob:",
|
|
|
|
|
|
|
|
|
|
// for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
|
|
|
|
|
"frame-ancestors *",
|
|
|
|
|
|
ansuz
3 years ago