diff --git a/lib/defaults.js b/lib/defaults.js index 5078c9a84..e3920d79e 100644 --- a/lib/defaults.js +++ b/lib/defaults.js @@ -5,6 +5,7 @@ Default.commonCSP = function (Env) { var sandbox = Env.httpSafeOrigin; sandbox = (sandbox && sandbox !== domain? ' ' + sandbox: ''); // Content-Security-Policy + var accounts_api = Env.accounts_api? ' ' + Env.accounts_api: ''; return [ "default-src 'none'", @@ -25,7 +26,7 @@ Default.commonCSP = function (Env) { if you are deploying to production, you'll probably want to remove the ws://* directive */ - "connect-src 'self' blob: " + (/^https:/.test(domain)? 'wss:': domain.replace('http://', 'ws://')) + ' ' + domain + sandbox, + "connect-src 'self' blob: " + (/^https:/.test(domain)? 'wss:': domain.replace('http://', 'ws://')) + ' ' + domain + sandbox + accounts_api, // data: is used by codemirror "img-src 'self' data: blob:" + domain, diff --git a/lib/env.js b/lib/env.js index ad5aff081..4ead99b06 100644 --- a/lib/env.js +++ b/lib/env.js @@ -73,6 +73,7 @@ module.exports.create = function (config) { fileHost: config.fileHost || undefined, NO_SANDBOX: NO_SANDBOX, httpSafePort: httpSafePort, + accounts_api: config.accounts_api || undefined, // XXX shouldUpdateNode: !isRecentVersion(), diff --git a/www/checkup/main.js b/www/checkup/main.js index ceede953c..4632dfd9a 100644 --- a/www/checkup/main.js +++ b/www/checkup/main.js @@ -75,6 +75,7 @@ define([ var trimmedSafe = trimSlashes(ApiConfig.httpSafeOrigin); var trimmedUnsafe = trimSlashes(ApiConfig.httpUnsafeOrigin); var fileHost = ApiConfig.fileHost; + var accounts_api = ApiConfig.accounts_api || AppConfig.accounts_api || undefined; var getAPIPlaceholderPath = function (relative) { var absolute; @@ -986,7 +987,7 @@ define([ API_URL.origin, isHTTPS(fileHost)? fileHost: undefined, // support for cryptpad.fr configuration - AppConfig.accounts_api, + accounts_api, ![trimmedUnsafe, trimmedSafe].includes(ACCOUNTS_URL)? ACCOUNTS_URL: undefined, ], @@ -1025,7 +1026,7 @@ define([ $sandbox, API_URL.origin, isHTTPS(fileHost)? fileHost: undefined, - AppConfig.accounts_api, + accounts_api, ![trimmedUnsafe, trimmedSafe].includes(ACCOUNTS_URL)? ACCOUNTS_URL: undefined, ], 'img-src': ["'self'", 'data:', 'blob:', $outer],