set a more permissive CSP policy by default. add a note about it

2017-04-10 18:08:01 +02:00 · 2017-04-10 18:08:01 +02:00 · 2a7793acd8
parent 8ac0741511
commit 2a7793acd8
1 changed files with 9 additions and 2 deletions
--- a/config.js.dist
+++ b/config.js.dist
@ -32,9 +32,14 @@ module.exports = {
         *  it is recommended that you configure these fields to match the
         *  domain which will serve your cryptpad instance.
         */
-        "connect-src 'self' ws://*",
        "child-src 'self' *",

+        /*  this allows connections over secure or insecure websockets
+            if you are deploying to production, you'll probably want to remove
+            the ws://* directive, and change '*' to your domain
+         */
+        "connect-src 'self' ws://* wss://*",
+
        // data: is used by codemirror
        "img-src 'self' data:",
    ].join('; '),
@ -51,7 +56,9 @@ module.exports = {
         *  configured for best effect.
         */
         "child-src 'self' *",
-         "connect-src 'self' ws://*",
+
+        // see the comment above in the 'contentSecurity' section
+         "connect-src 'self' ws://* wss://*",

        // (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
        "img-src *",