check COOP headers for multiple endpoints

and improve some error reporting in the checkup RPC
2021-07-01 16:42:09 +05:30 · 2021-07-01 16:42:09 +05:30 · 3b44c09bc4
parent 899eef1ee8
commit 3b44c09bc4
4 changed files with 41 additions and 5 deletions
--- a/docs/example.nginx.conf
+++ b/docs/example.nginx.conf
@ -64,7 +64,7 @@ server {
    add_header Permissions-Policy interest-cohort=();

    set $coop '';
-    if ($uri ~ ^\/(sheet|presentation|doc)\/.*$) { set $coop 'same-origin'; }
+    if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }

    # Enable SharedArrayBuffer in Firefox (for .xlsx export)
    add_header Cross-Origin-Resource-Policy cross-origin;
--- a/server.js
+++ b/server.js
@ -90,7 +90,7 @@ var setHeaders = (function () {
        return function (req, res) {
            // apply a bunch of cross-origin headers for XLSX export in FF and printing elsewhere
            applyHeaderMap(res, {
-                "Cross-Origin-Opener-Policy": /^\/sheet\//.test(req.url)? 'same-origin': '',
+                "Cross-Origin-Opener-Policy": /^\/(sheet|presentation|doc|convert)\//.test(req.url)? 'same-origin': '',
            });

            if (Env.NO_SANDBOX) { // handles correct configuration for local development
--- a/www/checkup/main.js
+++ b/www/checkup/main.js
@ -732,6 +732,36 @@ define([
        cb(isHTTPS(trimmedUnsafe) && isHTTPS(trimmedSafe));
    });

+
+    [
+        'sheet',
+        'presentation',
+        'doc',
+        'convert',
+    ].forEach(function (url) {
+        assert(function (cb, msg) {
+            var header = 'cross-origin-opener-policy';
+            var expected = 'same-origin';
+            deferredPostMessage({
+                command: 'GET_HEADER',
+                content: {
+                    url: '/' + url + '/',
+                    header: header,
+                }
+            }, function (content) {
+                msg.appendChild(h('span', [
+                    code(url),
+                    ' was served without the correct ',
+                    code(header),
+                    ' HTTP header value (',
+                    code(expected),
+                    '). This will interfere with your ability to convert between office file formats.'
+                ]));
+                cb(content === expected);
+            });
+        });
+    });
+
 /*
    assert(function (cb, msg) {
        setWarningClass(msg);
--- a/www/checkup/sandbox/main.js
+++ b/www/checkup/sandbox/main.js
@ -27,12 +27,14 @@ define([
    };

    window.addEventListener("message", function (event) {
+        var txid, command;
        if (event && event.data) {
            try {
                //console.log(JSON.parse(event.data));
                var msg = JSON.parse(event.data);
-                var command = msg.command;
-                var txid = msg.txid;
+                command = msg.command;
+                txid = msg.txid;
+                if (!txid) { return; }
                COMMANDS[command](msg.content, function (response) {
                    // postMessage with same txid
                    postMessage({
@ -41,7 +43,11 @@ define([
                    });
                });
            } catch (err) {
-                console.error(err);
+                postMessage({
+                    txid: txid,
+                    content: err,
+                });
+                console.error(err, command);
            }
        } else {
            console.error(event);