From 2a262555ed5039a63a7efeb200b0c55be371a65d Mon Sep 17 00:00:00 2001 From: ansuz Date: Thu, 15 Jun 2017 14:42:27 +0200 Subject: [PATCH 1/2] add suggested CSP types for media tags --- config.example.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config.example.js b/config.example.js index c7a831b4c..d2ea25a3e 100644 --- a/config.example.js +++ b/config.example.js @@ -33,9 +33,9 @@ module.exports = { * it is recommended that you configure these fields to match the * domain which will serve your CryptPad instance. */ - "child-src 'self' *", + "child-src 'self' blob: *", - "media-src *", + "media-src * blob:", /* this allows connections over secure or insecure websockets if you are deploying to production, you'll probably want to remove From 7bee2ba27d72a84b8dd775a8b2bc1f72aba0c9ce Mon Sep 17 00:00:00 2001 From: Caleb James DeLisle Date: Thu, 15 Jun 2017 14:45:01 +0200 Subject: [PATCH 2/2] Add a semicolon at the end of the CSP if none exists. --- server.js | 1 + 1 file changed, 1 insertion(+) diff --git a/server.js b/server.js index ec89ef2af..0db55f8d0 100644 --- a/server.js +++ b/server.js @@ -34,6 +34,7 @@ var setHeaders = (function () { const headers = clone(config.httpHeaders); if (config.contentSecurity) { headers['Content-Security-Policy'] = clone(config.contentSecurity); + if (!/;$/.test(headers['Content-Security-Policy'])) { headers['Content-Security-Policy'] += ';' } if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) { // backward compat for those who do not merge the new version of the config // when updating. This prevents endless spinner if someone clicks donate.