Merge branch 'sandbox-frame' of https://github.com/cjdelisle/cryptpad into csp
ansuz
commit
40bac1df55
44
server.js
44
server.js
|
|
@ -10,12 +10,45 @@ var NetfluxSrv = require('./NetfluxWebsocketSrv');
|
|||
var WebRTCSrv = require('./WebRTCSrv');
|
||||
|
||||
var config = require('./config');
|
||||
config.websocketPort = config.websocketPort || config.httpPort;
|
||||
var websocketPort = config.websocketPort || config.httpPort;
|
||||
|
||||
// support multiple storage back ends
|
||||
var Storage = require(config.storage||'./storage/mongo');
|
||||
var Storage = require(config.storage||'./storage/file');
|
||||
|
||||
var app = Express();
|
||||
|
||||
var httpsOpts;
|
||||
|
||||
app.use(function (req, res, next) {
|
||||
var host = req.headers.host;
|
||||
if (config.websocketPort) {
|
||||
host = host.replace(/\:[0-9]+/, ':' + config.websocketPort);
|
||||
}
|
||||
var proto = httpsOpts ? 'wss://' : 'ws://';
|
||||
res.setHeader('Content-Security-Policy', [
|
||||
"default-src 'none'",
|
||||
"style-src 'unsafe-inline' 'self'",
|
||||
|
||||
// No way to load ckeditor without unsafe-eval and unsafe-inline
|
||||
// https://dev.ckeditor.com/ticket/8584
|
||||
"script-src 'self' 'unsafe-eval' 'unsafe-inline'",
|
||||
|
||||
"connect-src 'self' " + proto + host,
|
||||
"child-src 'self'",
|
||||
"font-src 'self'",
|
||||
|
||||
// data: is used by codemirror, (insecure remote) images are included by people making
|
||||
// documents in ckeditor.
|
||||
"img-src data: *"
|
||||
].join('; '));
|
||||
|
||||
res.setHeader('X-XSS-Protection', '1; mode=block');
|
||||
res.setHeader('X-Content-Type-Options', 'nosniff');
|
||||
res.setHeader('X-Frame-Options', 'SAMEORIGIN');
|
||||
|
||||
next();
|
||||
});
|
||||
|
||||
app.use(Express.static(__dirname + '/www'));
|
||||
|
||||
Fs.exists(__dirname + "/customize", function (e) {
|
||||
|
|
@ -28,7 +61,6 @@ app.use("/customize", Express.static(__dirname + '/customize.dist'));
|
|||
app.use(/^\/[^\/]*$/, Express.static('customize'));
|
||||
app.use(/^\/[^\/]*$/, Express.static('customize.dist'));
|
||||
|
||||
var httpsOpts;
|
||||
if (config.privKeyAndCertFiles) {
|
||||
var privKeyAndCerts = '';
|
||||
config.privKeyAndCertFiles.forEach(function (file) {
|
||||
|
|
@ -58,7 +90,7 @@ app.get('/api/config', function(req, res){
|
|||
res.send('define(' + JSON.stringify({
|
||||
websocketPath: config.websocketPath,
|
||||
websocketURL:'ws' + ((httpsOpts) ? 's' : '') + '://' + host + ':' +
|
||||
config.websocketPort + '/cryptpad_websocket',
|
||||
websocketPort + '/cryptpad_websocket',
|
||||
}) + ');');
|
||||
});
|
||||
|
||||
|
|
@ -69,9 +101,9 @@ httpServer.listen(config.httpPort,config.httpAddress,function(){
|
|||
});
|
||||
|
||||
var wsConfig = { server: httpServer };
|
||||
if (config.websocketPort !== config.httpPort) {
|
||||
if (websocketPort !== config.httpPort) {
|
||||
console.log("setting up a new websocket server");
|
||||
wsConfig = { port: config.websocketPort};
|
||||
wsConfig = { port: websocketPort};
|
||||
}
|
||||
var wsSrv = new WebSocketServer(wsConfig);
|
||||
Storage.create(config, function (store) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue