From 3b05d24f107aee0cabd20344c7f7f36a4c24832c Mon Sep 17 00:00:00 2001 From: ansuz Date: Thu, 2 Apr 2020 17:46:29 -0400 Subject: [PATCH] wip csp issue --- server.js | 13 ++++++++----- www/common/sframe-app-outer.js | 4 ++++ 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/server.js b/server.js index 9b82d7c3c..7ae779d13 100644 --- a/server.js +++ b/server.js @@ -42,7 +42,7 @@ if (process.env.PACKAGE) { throw new Error("No 'httpUnsafeOrigin' provided"); } - config.httpUnsafeOrigin = config.httpUnsafeOrigin.trim(); + config.httpUnsafeOrigin = config.httpUnsafeOrigin.trim().replace(/\/$/, ''); // fall back to listening on a local address // if httpAddress is not a string @@ -125,12 +125,15 @@ var setHeaders = (function () { if (Object.keys(headers).length) { return function (req, res) { const h = [ - /^\/pad\/inner\.html.*/, + /^\/+pad\/inner\.html.*/, /^\/common\/onlyoffice\/.*\/index\.html.*/, - /^\/(sheet|ooslide|oodoc)\/inner\.html.*/, + /^\/+(sheet|ooslide|oodoc)\/in.*\.html.*/, ].some((regex) => { - return regex.test(req.url) - }) ? padHeaders : headers; + if (regex.test('' + req.url)) { + console.log('CSP MATCH: [%s] <= [%s]', regex, req.url); + return true; + } + }) ? padHeaders: headers; for (let header in h) { res.setHeader(header, h[header]); } }; } diff --git a/www/common/sframe-app-outer.js b/www/common/sframe-app-outer.js index d85266ca7..2d5948fd8 100644 --- a/www/common/sframe-app-outer.js +++ b/www/common/sframe-app-outer.js @@ -31,6 +31,10 @@ define([ ApiConfig.httpSafeOrigin + window.location.pathname + 'inner.html?' + requireConfig.urlArgs + '#' + encodeURIComponent(JSON.stringify(req))); + console.log(ApiConfig.httpSafeOrigin); + + console.error(document.getElementById('sbox-iframe').getAttribute('src')); + // This is a cheap trick to avoid loading sframe-channel in parallel with the // loading screen setup. var done = waitFor();