Use resources from the original origin in pad2

pull/1/head
Caleb James DeLisle 7 years ago
parent 4089803785
commit 4b70fc9f49

@ -2,6 +2,7 @@
/*
globals module
*/
var domain = ' http://localhost:3000/';
module.exports = {
// the address you want to bind to, :: means all ipv4 and ipv6 addresses
@ -23,9 +24,9 @@ module.exports = {
contentSecurity: [
"default-src 'none'",
"style-src 'unsafe-inline' 'self'",
"script-src 'self'",
"font-src 'self' data:",
"style-src 'unsafe-inline' 'self' " + domain,
"script-src 'self'" + domain,
"font-src 'self' data:" + domain,
/* child-src is used to restrict iframes to a set of allowed domains.
* connect-src is used to restrict what domains can connect to the websocket.
@ -33,7 +34,7 @@ module.exports = {
* it is recommended that you configure these fields to match the
* domain which will serve your CryptPad instance.
*/
"child-src 'self' blob: *",
"child-src blob: *",
"media-src * blob:",
@ -41,10 +42,10 @@ module.exports = {
if you are deploying to production, you'll probably want to remove
the ws://* directive, and change '*' to your domain
*/
"connect-src 'self' ws: wss: blob:",
"connect-src 'self' ws: wss: blob:" + domain,
// data: is used by codemirror
"img-src 'self' data: blob:",
"img-src 'self' data: blob:" + domain,
// for accounts.cryptpad.fr authentication and pad2 cross-domain iframe sandbox
"frame-ancestors *",
@ -53,18 +54,18 @@ module.exports = {
// CKEditor requires significantly more lax content security policy in order to function.
padContentSecurity: [
"default-src 'none'",
"style-src 'unsafe-inline' 'self'",
"style-src 'unsafe-inline' 'self'" + domain,
// Unsafe inline, unsafe-eval are needed for ckeditor :(
"script-src 'self' 'unsafe-eval' 'unsafe-inline'",
"font-src 'self'",
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
"font-src 'self'" + domain,
/* See above under 'contentSecurity' as to how these values should be
* configured for best effect.
*/
"child-src 'self' *",
"child-src *",
// see the comment above in the 'contentSecurity' section
"connect-src 'self' ws: wss:",
"connect-src 'self' ws: wss:" + domain,
// (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
"img-src * blob:",

@ -1,6 +1,16 @@
// Stage 0, this gets cached which means we can't change it. boot2-sframe.js is changable.
// Note that this file is meant to be executed only inside of a sandbox iframe.
;(function () {
var req = JSON.parse(decodeURIComponent(window.location.hash.substring(1)));
if (req.cfg) { require.config(req.cfg); }
if (req.pfx) {
require.config({
onNodeCreated: function (node, config, module, path) {
node.setAttribute('src', req.pfx + node.getAttribute('src'));
}
});
}
if (req.req) { require(req.req, function () { }); }
window.addEventListener('message', function (msg) {
var data = JSON.parse(msg.data);
if (data.q !== 'INIT') { return; }
@ -8,7 +18,4 @@ window.addEventListener('message', function (msg) {
if (data.content && data.content.requireConf) { require.config(data.content.requireConf); }
require(['/common/sframe-boot2.js'], function () { });
});
var req = JSON.parse(decodeURIComponent(window.location.hash.substring(1)));
if (req.cfg) { require.config(req.cfg); }
if (req.req) { require(req.req, function () { }); }
}());

@ -8,6 +8,7 @@ define([
var req = {
cfg: RequireConfig,
req: [ '/common/loading.js' ],
pfx: window.location.origin
};
$('#sbox-iframe').attr('src',
ApiConfig.httpSafeOrigin + '/pad2/inner.html?' + ApiConfig.requireConf.urlArgs +

Loading…
Cancel
Save