diff --git a/config.example.js b/config.example.js index 6287d57fd..1b28a5e89 100644 --- a/config.example.js +++ b/config.example.js @@ -2,6 +2,7 @@ /* globals module */ +var domain = ' http://localhost:3000/'; module.exports = { // the address you want to bind to, :: means all ipv4 and ipv6 addresses @@ -23,9 +24,9 @@ module.exports = { contentSecurity: [ "default-src 'none'", - "style-src 'unsafe-inline' 'self'", - "script-src 'self'", - "font-src 'self' data:", + "style-src 'unsafe-inline' 'self' " + domain, + "script-src 'self'" + domain, + "font-src 'self' data:" + domain, /* child-src is used to restrict iframes to a set of allowed domains. * connect-src is used to restrict what domains can connect to the websocket. @@ -33,7 +34,7 @@ module.exports = { * it is recommended that you configure these fields to match the * domain which will serve your CryptPad instance. */ - "child-src 'self' blob: *", + "child-src blob: *", "media-src * blob:", @@ -41,10 +42,10 @@ module.exports = { if you are deploying to production, you'll probably want to remove the ws://* directive, and change '*' to your domain */ - "connect-src 'self' ws: wss: blob:", + "connect-src 'self' ws: wss: blob:" + domain, // data: is used by codemirror - "img-src 'self' data: blob:", + "img-src 'self' data: blob:" + domain, // for accounts.cryptpad.fr authentication and pad2 cross-domain iframe sandbox "frame-ancestors *", @@ -53,18 +54,18 @@ module.exports = { // CKEditor requires significantly more lax content security policy in order to function. padContentSecurity: [ "default-src 'none'", - "style-src 'unsafe-inline' 'self'", + "style-src 'unsafe-inline' 'self'" + domain, // Unsafe inline, unsafe-eval are needed for ckeditor :( - "script-src 'self' 'unsafe-eval' 'unsafe-inline'", - "font-src 'self'", + "script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain, + "font-src 'self'" + domain, /* See above under 'contentSecurity' as to how these values should be * configured for best effect. */ - "child-src 'self' *", + "child-src *", // see the comment above in the 'contentSecurity' section - "connect-src 'self' ws: wss:", + "connect-src 'self' ws: wss:" + domain, // (insecure remote) images are included by users of the wysiwyg who embed photos in their pads "img-src * blob:", diff --git a/www/common/sframe-boot.js b/www/common/sframe-boot.js index e0182beaf..5206b3e68 100644 --- a/www/common/sframe-boot.js +++ b/www/common/sframe-boot.js @@ -1,6 +1,16 @@ // Stage 0, this gets cached which means we can't change it. boot2-sframe.js is changable. // Note that this file is meant to be executed only inside of a sandbox iframe. ;(function () { +var req = JSON.parse(decodeURIComponent(window.location.hash.substring(1))); +if (req.cfg) { require.config(req.cfg); } +if (req.pfx) { + require.config({ + onNodeCreated: function (node, config, module, path) { + node.setAttribute('src', req.pfx + node.getAttribute('src')); + } + }); +} +if (req.req) { require(req.req, function () { }); } window.addEventListener('message', function (msg) { var data = JSON.parse(msg.data); if (data.q !== 'INIT') { return; } @@ -8,7 +18,4 @@ window.addEventListener('message', function (msg) { if (data.content && data.content.requireConf) { require.config(data.content.requireConf); } require(['/common/sframe-boot2.js'], function () { }); }); -var req = JSON.parse(decodeURIComponent(window.location.hash.substring(1))); -if (req.cfg) { require.config(req.cfg); } -if (req.req) { require(req.req, function () { }); } }()); \ No newline at end of file diff --git a/www/pad2/outer.js b/www/pad2/outer.js index a32e4de12..d32ca2624 100644 --- a/www/pad2/outer.js +++ b/www/pad2/outer.js @@ -8,6 +8,7 @@ define([ var req = { cfg: RequireConfig, req: [ '/common/loading.js' ], + pfx: window.location.origin }; $('#sbox-iframe').attr('src', ApiConfig.httpSafeOrigin + '/pad2/inner.html?' + ApiConfig.requireConf.urlArgs +