update recommended settings for embedding to permit element desktop

pull/1/head
ansuz 3 years ago
parent 841884c631
commit 404b89eb28

@ -125,8 +125,12 @@ server {
# script-src specifies valid sources for javascript, including inline handlers
set $scriptSrc "'self' resource: https://${main_domain}";
# XXX frame-ancestors defines where your cryptpad instance can be embedded...
set $frameAncestors "https://${main_domain} $https://${sandbox_domain}";
# frame-ancestors specifies which origins can embed your CryptPad instance
# this must include 'self' and your main domain (over HTTPS) in order for CryptPad to work
# if you have enabled remote embedding via the admin panel then this must be more permissive.
# note: cryptpad.fr permits web pages served via https: and vector: (element desktop app)
set $frameAncestors "'self' https://${main_domain}";
# set $frameAncestors "'self' https: vector:";
set $unsafe 0;
# the following assets are loaded via the sandbox domain

@ -32,7 +32,7 @@ Default.commonCSP = function (Env) {
"media-src blob:",
// for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
Env.enableEmbedding? `frame-ancestors 'self' ${Env.protocol}`: `frame-ancestors ${domain}${sandbox}`,
Env.enableEmbedding? `frame-ancestors 'self' ${Env.protocol} vector:`: `frame-ancestors 'self' ${domain}`,
"worker-src 'self'",
""
];

@ -990,7 +990,7 @@ define([
'img-src': ["'self'", 'data:', 'blob:', $outer],
'media-src': ['blob:'],
'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol]: [$outer, $sandbox],
'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol, 'vector:']: ["'self'", $outer],
'worker-src': ["'self'"],
});
cb(result);
@ -1028,7 +1028,7 @@ define([
],
'img-src': ["'self'", 'data:', 'blob:', $outer],
'media-src': ['blob:'],
'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol]: [$outer, $sandbox],
'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol, 'vector:']: ["'self'", $outer],
'worker-src': ["'self'"],//, $outer, $sandbox],
});

Loading…
Cancel
Save