let NGINX handle its own headers
ansuz
parent
6eaee92ac3
commit
32494fca0c
|
|
@ -167,6 +167,13 @@ server {
|
|||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
# These settings prevent both NGINX and the API server
|
||||
# from setting the same headers and creating duplicates
|
||||
proxy_hide_header Cross-Origin-Resource-Policy;
|
||||
add_header Cross-Origin-Resource-Policy cross-origin;
|
||||
proxy_hide_header Cross-Origin-Embedder-Policy;
|
||||
add_header Cross-Origin-Embedder-Policy require-corp;
|
||||
}
|
||||
|
||||
# encrypted blobs are immutable and are thus cached for a year
|
||||
|
|
|
|||
17
server.js
17
server.js
|
|
@ -108,28 +108,21 @@ var setHeaders = (function () {
|
|||
// apply a bunch of cross-origin headers for XLSX export in FF and printing elsewhere
|
||||
applyHeaderMap(res, {
|
||||
"Cross-Origin-Opener-Policy": /^\/sheet\//.test(req.url)? 'same-origin': '',
|
||||
"Cross-Origin-Embedder-Policy": 'require-corp',
|
||||
});
|
||||
|
||||
if (Env.NO_SANDBOX) { // handles correct configuration for local development
|
||||
// https://stackoverflow.com/questions/11531121/add-duplicate-http-response-headers-in-nodejs
|
||||
applyHeaderMap(res, {
|
||||
"Cross-Origin-Resource-Policy": 'cross-origin',
|
||||
"Cross-Origin-Embedder-Policy": 'require-corp',
|
||||
});
|
||||
}
|
||||
|
||||
// Don't set CSP headers on /api/config because they aren't necessary and they cause problems
|
||||
// Don't set CSP headers on /api/ endpoints
|
||||
// because they aren't necessary and they cause problems
|
||||
// when duplicated by NGINX in production environments
|
||||
if (/^\/api\/(broadcast|config)/.test(req.url)) {
|
||||
/*
|
||||
if (Env.NO_SANDBOX) {
|
||||
applyHeaderMap(res, {
|
||||
"Cross-Origin-Resource-Policy": 'cross-origin',
|
||||
});
|
||||
}
|
||||
*/
|
||||
return;
|
||||
}
|
||||
if (/^\/api\/(broadcast|config)/.test(req.url)) { return; }
|
||||
|
||||
applyHeaderMap(res, {
|
||||
"Cross-Origin-Resource-Policy": 'cross-origin',
|
||||
});
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ html, body {
|
|||
}
|
||||
|
||||
.pending {
|
||||
border: 1px solid white;
|
||||
border: 1px solid @cryptpad_text_col;
|
||||
.fa {
|
||||
margin-right: 20px;
|
||||
}
|
||||
|
|
@ -45,7 +45,7 @@ html, body {
|
|||
table {
|
||||
td {
|
||||
padding: 5px;
|
||||
border: 1px solid white;
|
||||
border: 1px solid @cryptpad_text_col;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -237,7 +237,7 @@ define([
|
|||
var blockUrl = Login.Block.getBlockUrl(opt.blockKeys);
|
||||
var blockRequest = Login.Block.serialize("{}", opt.blockKeys);
|
||||
var removeRequest = Login.Block.remove(opt.blockKeys);
|
||||
console.log('Test block URL:', blockUrl);
|
||||
console.warn('Testing block URL (%s). One 404 is normal.', blockUrl);
|
||||
|
||||
var userHash = '/2/drive/edit/000000000000000000000000';
|
||||
var secret = Hash.getSecrets('drive', userHash);
|
||||
|
|
@ -375,7 +375,7 @@ define([
|
|||
});
|
||||
|
||||
assert(function (cb, msg) {
|
||||
msg = msg;
|
||||
msg.innerText = "This test is incorrect.";
|
||||
return void cb(true);
|
||||
/*
|
||||
msg.appendChild(h('span', [
|
||||
|
|
@ -419,7 +419,6 @@ define([
|
|||
$.ajax('/api/broadcast', {
|
||||
dataType: 'text',
|
||||
complete: function (xhr) {
|
||||
console.log(xhr);
|
||||
cb(xhr.status === 200);
|
||||
},
|
||||
});
|
||||
|
|
@ -445,6 +444,7 @@ define([
|
|||
|
||||
var expect = {
|
||||
'cross-origin-resource-policy': 'cross-origin',
|
||||
'cross-origin-embedder-policy': 'require-corp',
|
||||
};
|
||||
var incorrect = Object.keys(expect).some(function (k) {
|
||||
var response = xhr.getResponseHeader(k);
|
||||
|
|
|
|||
Loading…
Reference in New Issue