From 404b89eb28534c81004add18098ae300229b1f3d Mon Sep 17 00:00:00 2001 From: ansuz Date: Mon, 4 Apr 2022 12:31:40 +0530 Subject: [PATCH] update recommended settings for embedding to permit element desktop --- docs/example.nginx.conf | 8 ++++++-- lib/defaults.js | 2 +- www/checkup/main.js | 4 ++-- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/docs/example.nginx.conf b/docs/example.nginx.conf index 6124b117a..f5c0e1643 100644 --- a/docs/example.nginx.conf +++ b/docs/example.nginx.conf @@ -125,8 +125,12 @@ server { # script-src specifies valid sources for javascript, including inline handlers set $scriptSrc "'self' resource: https://${main_domain}"; - # XXX frame-ancestors defines where your cryptpad instance can be embedded... - set $frameAncestors "https://${main_domain} $https://${sandbox_domain}"; + # frame-ancestors specifies which origins can embed your CryptPad instance + # this must include 'self' and your main domain (over HTTPS) in order for CryptPad to work + # if you have enabled remote embedding via the admin panel then this must be more permissive. + # note: cryptpad.fr permits web pages served via https: and vector: (element desktop app) + set $frameAncestors "'self' https://${main_domain}"; + # set $frameAncestors "'self' https: vector:"; set $unsafe 0; # the following assets are loaded via the sandbox domain diff --git a/lib/defaults.js b/lib/defaults.js index a3d5acfe3..524ef0720 100644 --- a/lib/defaults.js +++ b/lib/defaults.js @@ -32,7 +32,7 @@ Default.commonCSP = function (Env) { "media-src blob:", // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox - Env.enableEmbedding? `frame-ancestors 'self' ${Env.protocol}`: `frame-ancestors ${domain}${sandbox}`, + Env.enableEmbedding? `frame-ancestors 'self' ${Env.protocol} vector:`: `frame-ancestors 'self' ${domain}`, "worker-src 'self'", "" ]; diff --git a/www/checkup/main.js b/www/checkup/main.js index 2b8caf7d7..01192cfce 100644 --- a/www/checkup/main.js +++ b/www/checkup/main.js @@ -990,7 +990,7 @@ define([ 'img-src': ["'self'", 'data:', 'blob:', $outer], 'media-src': ['blob:'], - 'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol]: [$outer, $sandbox], + 'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol, 'vector:']: ["'self'", $outer], 'worker-src': ["'self'"], }); cb(result); @@ -1028,7 +1028,7 @@ define([ ], 'img-src': ["'self'", 'data:', 'blob:', $outer], 'media-src': ['blob:'], - 'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol]: [$outer, $sandbox], + 'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol, 'vector:']: ["'self'", $outer], 'worker-src': ["'self'"],//, $outer, $sandbox], });