From 29fe4b7223d9de90b2397e986f63a5926426d1bc Mon Sep 17 00:00:00 2001
From: ansuz <git@ansuz.xyz>
Date: Fri, 21 Jan 2022 18:01:55 +0530
Subject: [PATCH] restrict unnecessarily permissive CSP

---
 lib/defaults.js | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/defaults.js b/lib/defaults.js
index c4cb507cb..f43253ccb 100644
--- a/lib/defaults.js
+++ b/lib/defaults.js
@@ -2,6 +2,7 @@ var Default = module.exports;
 
 Default.commonCSP = function (domain, sandbox) {
     domain = ' ' + domain;
+    sandbox = (sandbox && sandbox !== domain? ' ' + sandbox: '');
     // Content-Security-Policy
 
     return [
@@ -15,19 +16,19 @@ Default.commonCSP = function (domain, sandbox) {
          *  it is recommended that you configure these fields to match the
          *  domain which will serve your CryptPad instance.
          */
-        "child-src blob: *",
+        "child-src 'self' blob: " + domain + sandbox,
         // IE/Edge
-        "frame-src blob: *",
+        "frame-src 'self' blob: " + domain + sandbox,
 
         /*  this allows connections over secure or insecure websockets
             if you are deploying to production, you'll probably want to remove
             the ws://* directive, and change '*' to your domain
          */
-        "connect-src 'self' ws: wss: blob: " + domain + (sandbox && sandbox !== domain? ' ' + sandbox: ''),
+        "connect-src 'self' ws: wss: blob: " + domain + sandbox,
 
         // data: is used by codemirror
         "img-src 'self' data: blob:" + domain,
-        "media-src * blob:",
+        "media-src blob:",
 
         // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
         "frame-ancestors *",