diff --git a/bower.json b/bower.json
index 5704b3aec..a6fc85b41 100644
--- a/bower.json
+++ b/bower.json
@@ -29,7 +29,7 @@
"rangy": "rangy-release#~1.3.0",
"json.sortify": "~2.1.0",
"fabric.js": "fabric#~1.6.0",
- "hyperjson": "~1.3.1",
+ "hyperjson": "~1.4.0",
"textpatcher": "^1.3.0",
"proxy-polyfill": "^0.1.5",
"chainpad": "^0.3.0",
diff --git a/config.js.dist b/config.js.dist
index 91bf38d95..da80bb374 100644
--- a/config.js.dist
+++ b/config.js.dist
@@ -14,24 +14,35 @@ module.exports = {
* Examples are provided below
*/
-/*
httpHeaders: {
- "Content-Security-Policy": [
- "default-src 'none'",
- "style-src 'unsafe-inline' 'self'",
- "script-src 'self' 'unsafe-eval' 'unsafe-inline'",
- "child-src 'self' cryptpad.fr *.cryptpad.fr",
- "font-src 'self'",
- "connect-src 'self' wss://cryptpad.fr",
- // data: is used by codemirror, (insecure remote) images are included by
- // users of the wysiwyg who embed photos in their pads
- "img-src data: *",
- ].join('; '),
-
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
// 'X-Frame-Options': 'SAMEORIGIN',
- },*/
+ },
+
+ contentSecurity: [
+ "default-src 'none'",
+ "style-src 'unsafe-inline' 'self'",
+ "script-src 'self'",
+ "child-src 'self' cryptpad.fr *.cryptpad.fr",
+ "font-src 'self'",
+ "connect-src 'self' wss://cryptpad.fr",
+ // data: is used by codemirror
+ "img-src 'self' data:",
+ ].join('; '),
+
+ // CKEditor requires significantly more lax content security policy in order to function.
+ padContentSecurity: [
+ "default-src 'none'",
+ "style-src 'unsafe-inline' 'self'",
+ // Unsafe inline, unsafe-eval are needed for ckeditor :(
+ "script-src 'self' 'unsafe-eval' 'unsafe-inline'",
+ "child-src 'self' cryptpad.fr *.cryptpad.fr",
+ "font-src 'self'",
+ "connect-src 'self' wss://cryptpad.fr",
+ // (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
+ "img-src *",
+ ].join('; '),
httpPort: 3000,
@@ -51,7 +62,7 @@ module.exports = {
//websocketPort: 3000,
/* if you want to run a different version of cryptpad but using the same websocket
- * server, you should use the other server port as websocketPort and disable
+ * server, you should use the other server port as websocketPort and disable
* the websockets on that server
*/
//useExternalWebsocket: false,
diff --git a/customize.dist/about.html b/customize.dist/about.html
index c0f3a0b97..988efafc3 100644
--- a/customize.dist/about.html
+++ b/customize.dist/about.html
@@ -1,5 +1,6 @@
+
Cryptpad: Zero Knowledge, Collaborative Real Time Editing
@@ -9,16 +10,8 @@
-
+
-
-
-
@@ -126,4 +119,3 @@
-
diff --git a/customize.dist/contact.html b/customize.dist/contact.html
index 7b2cd03ae..1985d8347 100644
--- a/customize.dist/contact.html
+++ b/customize.dist/contact.html
@@ -1,5 +1,6 @@
+
Cryptpad: Zero Knowledge, Collaborative Real Time Editing
@@ -9,16 +10,8 @@
-
+
-
-
-
@@ -123,4 +116,3 @@
-
diff --git a/customize.dist/index.html b/customize.dist/index.html
index eb1815e34..12697787e 100644
--- a/customize.dist/index.html
+++ b/customize.dist/index.html
@@ -1,5 +1,6 @@
+
Cryptpad: Zero Knowledge, Collaborative Real Time Editing
@@ -9,16 +10,8 @@
-
+
-
-
-
@@ -245,4 +238,3 @@
-
diff --git a/customize.dist/privacy.html b/customize.dist/privacy.html
index 10910bfff..403a0f1c4 100644
--- a/customize.dist/privacy.html
+++ b/customize.dist/privacy.html
@@ -1,5 +1,6 @@
+
Cryptpad: Zero Knowledge, Collaborative Real Time Editing
@@ -9,16 +10,8 @@
-
+
-
-
-