From 2a7793acd87bc6b2da8ccbd04a27a70bac20ec60 Mon Sep 17 00:00:00 2001
From: ansuz <ansuz@transitiontech.ca>
Date: Mon, 10 Apr 2017 18:08:01 +0200
Subject: [PATCH] set a more permissive CSP policy by default. add a note about
 it

---
 config.js.dist | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/config.js.dist b/config.js.dist
index caa48eed1..6ef7267c1 100644
--- a/config.js.dist
+++ b/config.js.dist
@@ -32,9 +32,14 @@ module.exports = {
          *  it is recommended that you configure these fields to match the
          *  domain which will serve your cryptpad instance.
          */
-        "connect-src 'self' ws://*",
         "child-src 'self' *",
 
+        /*  this allows connections over secure or insecure websockets
+            if you are deploying to production, you'll probably want to remove
+            the ws://* directive, and change '*' to your domain
+         */
+        "connect-src 'self' ws://* wss://*",
+
         // data: is used by codemirror
         "img-src 'self' data:",
     ].join('; '),
@@ -51,7 +56,9 @@ module.exports = {
          *  configured for best effect.
          */
          "child-src 'self' *",
-         "connect-src 'self' ws://*",
+
+        // see the comment above in the 'contentSecurity' section
+         "connect-src 'self' ws://* wss://*",
 
         // (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
         "img-src *",