let NGINX handle its own headers

docs/example.nginx.conf

@@ -167,6 +167,13 @@ server {
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        # These settings prevent both NGINX and the API server
+        # from setting the same headers and creating duplicates
+        proxy_hide_header Cross-Origin-Resource-Policy;
+        add_header Cross-Origin-Resource-Policy cross-origin;
+        proxy_hide_header Cross-Origin-Embedder-Policy;
+        add_header Cross-Origin-Embedder-Policy require-corp;
     }
 
     # encrypted blobs are immutable and are thus cached for a year

server.js

@@ -108,28 +108,21 @@ var setHeaders = (function () {
             // apply a bunch of cross-origin headers for XLSX export in FF and printing elsewhere
             applyHeaderMap(res, {
                 "Cross-Origin-Opener-Policy": /^\/sheet\//.test(req.url)? 'same-origin': '',
-                "Cross-Origin-Embedder-Policy": 'require-corp',
             });
 
             if (Env.NO_SANDBOX) { // handles correct configuration for local development
             // https://stackoverflow.com/questions/11531121/add-duplicate-http-response-headers-in-nodejs
                 applyHeaderMap(res, {
                     "Cross-Origin-Resource-Policy": 'cross-origin',
+                    "Cross-Origin-Embedder-Policy": 'require-corp',
                 });
             }
 
-            // Don't set CSP headers on /api/config because they aren't necessary and they cause problems
+            // Don't set CSP headers on /api/ endpoints
+            // because they aren't necessary and they cause problems
             // when duplicated by NGINX in production environments
-            if (/^\/api\/(broadcast|config)/.test(req.url)) {
-                /*
-                if (Env.NO_SANDBOX) {
-                    applyHeaderMap(res, {
-                        "Cross-Origin-Resource-Policy": 'cross-origin',
-                    });
-                }
-                */
-                return;
-            }
+            if (/^\/api\/(broadcast|config)/.test(req.url)) { return; }
+
             applyHeaderMap(res, {
                 "Cross-Origin-Resource-Policy": 'cross-origin',
             });

www/checkup/app-checkup.less

@@ -20,7 +20,7 @@ html, body {
     }
 
     .pending {
-        border: 1px solid white;
+        border: 1px solid @cryptpad_text_col;
         .fa {
             margin-right: 20px;
         }
@@ -45,7 +45,7 @@ html, body {
     table {
         td {
             padding: 5px;
-            border: 1px solid white;
+            border: 1px solid @cryptpad_text_col;
         }
     }
 

www/checkup/main.js

@@ -237,7 +237,7 @@ define([
         var blockUrl = Login.Block.getBlockUrl(opt.blockKeys);
         var blockRequest = Login.Block.serialize("{}", opt.blockKeys);
         var removeRequest = Login.Block.remove(opt.blockKeys);
-        console.log('Test block URL:', blockUrl);
+        console.warn('Testing block URL (%s). One 404 is normal.', blockUrl);
 
         var userHash = '/2/drive/edit/000000000000000000000000';
         var secret = Hash.getSecrets('drive', userHash);
@@ -375,7 +375,7 @@ define([
     });
 
     assert(function (cb, msg) {
-        msg = msg;
+        msg.innerText = "This test is incorrect.";
         return void cb(true);
         /*
         msg.appendChild(h('span', [
@@ -419,7 +419,6 @@ define([
         $.ajax('/api/broadcast', {
             dataType: 'text',
             complete: function (xhr) {
-                console.log(xhr);
                 cb(xhr.status === 200);
             },
         });
@@ -445,6 +444,7 @@ define([
 
                 var expect = {
                     'cross-origin-resource-policy': 'cross-origin',
+                    'cross-origin-embedder-policy': 'require-corp',
                 };
                 var incorrect = Object.keys(expect).some(function (k) {
                     var response = xhr.getResponseHeader(k);