From b38ba6dbec307daeda1befb71073def8a199599d Mon Sep 17 00:00:00 2001 From: ansuz Date: Thu, 16 Mar 2017 15:17:40 +0100 Subject: [PATCH 1/3] comment out config lines which break local usage of cryptpad --- config.js.dist | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/config.js.dist b/config.js.dist index da80bb374..4384ad932 100644 --- a/config.js.dist +++ b/config.js.dist @@ -37,9 +37,17 @@ module.exports = { "style-src 'unsafe-inline' 'self'", // Unsafe inline, unsafe-eval are needed for ckeditor :( "script-src 'self' 'unsafe-eval' 'unsafe-inline'", - "child-src 'self' cryptpad.fr *.cryptpad.fr", "font-src 'self'", - "connect-src 'self' wss://cryptpad.fr", + + /* child-src is used to restrict iframes to a set of allowed domains. + * connect-src is used to restrict what domains can connect to the websocket. + * + * it is recommended that you configure these fields to match the + * domain which will serve your cryptpad instance. + */ + // "child-src 'self' cryptpad.fr *.cryptpad.fr", + // "connect-src 'self' wss://cryptpad.fr", + // (insecure remote) images are included by users of the wysiwyg who embed photos in their pads "img-src *", ].join('; '), From 737ffe8430cdc370f40c6cb0d0214e52bed14667 Mon Sep 17 00:00:00 2001 From: ansuz Date: Thu, 16 Mar 2017 15:17:40 +0100 Subject: [PATCH 2/3] comment out config lines which break local usage of cryptpad --- config.js.dist | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/config.js.dist b/config.js.dist index da80bb374..4384ad932 100644 --- a/config.js.dist +++ b/config.js.dist @@ -37,9 +37,17 @@ module.exports = { "style-src 'unsafe-inline' 'self'", // Unsafe inline, unsafe-eval are needed for ckeditor :( "script-src 'self' 'unsafe-eval' 'unsafe-inline'", - "child-src 'self' cryptpad.fr *.cryptpad.fr", "font-src 'self'", - "connect-src 'self' wss://cryptpad.fr", + + /* child-src is used to restrict iframes to a set of allowed domains. + * connect-src is used to restrict what domains can connect to the websocket. + * + * it is recommended that you configure these fields to match the + * domain which will serve your cryptpad instance. + */ + // "child-src 'self' cryptpad.fr *.cryptpad.fr", + // "connect-src 'self' wss://cryptpad.fr", + // (insecure remote) images are included by users of the wysiwyg who embed photos in their pads "img-src *", ].join('; '), From e8fbbf998428fed2035fc9513718e44bd16579f1 Mon Sep 17 00:00:00 2001 From: ansuz Date: Thu, 16 Mar 2017 15:40:16 +0100 Subject: [PATCH 3/3] fix default config to be very permissive with CSP headers --- config.js.dist | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/config.js.dist b/config.js.dist index 4384ad932..bb58528b0 100644 --- a/config.js.dist +++ b/config.js.dist @@ -24,9 +24,17 @@ module.exports = { "default-src 'none'", "style-src 'unsafe-inline' 'self'", "script-src 'self'", - "child-src 'self' cryptpad.fr *.cryptpad.fr", "font-src 'self'", - "connect-src 'self' wss://cryptpad.fr", + + /* child-src is used to restrict iframes to a set of allowed domains. + * connect-src is used to restrict what domains can connect to the websocket. + * + * it is recommended that you configure these fields to match the + * domain which will serve your cryptpad instance. + */ + "connect-src 'self' ws://*", + "child-src 'self' *", + // data: is used by codemirror "img-src 'self' data:", ].join('; '), @@ -39,14 +47,11 @@ module.exports = { "script-src 'self' 'unsafe-eval' 'unsafe-inline'", "font-src 'self'", - /* child-src is used to restrict iframes to a set of allowed domains. - * connect-src is used to restrict what domains can connect to the websocket. - * - * it is recommended that you configure these fields to match the - * domain which will serve your cryptpad instance. + /* See above under 'contentSecurity' as to how these values should be + * configured for best effect. */ - // "child-src 'self' cryptpad.fr *.cryptpad.fr", - // "connect-src 'self' wss://cryptpad.fr", + "child-src 'self' *", + "connect-src 'self' ws://*", // (insecure remote) images are included by users of the wysiwyg who embed photos in their pads "img-src *",