Implement stronger content-security-policy except in /pad/ which does not allow it.

Implement a "loader" which allows for applying a version number to everything. Added a cache control for anything which has a version.
8 years ago · 91eda5fa83
parent 9800f036c5
commit 91eda5fa83
34 changed files with 107 additions and 209 deletions
--- a/config.js.dist
+++ b/config.js.dist
@ -14,24 +14,35 @@ module.exports = {
     *  Examples are provided below
     */

-/*
    httpHeaders: {
-        "Content-Security-Policy": [
-            "default-src 'none'",
-            "style-src 'unsafe-inline' 'self'",
-            "script-src 'self' 'unsafe-eval' 'unsafe-inline'",
-            "child-src 'self' cryptpad.fr *.cryptpad.fr",
-            "font-src 'self'",
-            "connect-src 'self' wss://cryptpad.fr",
-    // data: is used by codemirror, (insecure remote) images are included by
-    // users of the wysiwyg who embed photos in their pads
-            "img-src data: *",
-        ].join('; '),
-
        "X-XSS-Protection": "1; mode=block",
        "X-Content-Type-Options": "nosniff",
        // 'X-Frame-Options': 'SAMEORIGIN',
-    },*/
+    },
+
+    contentSecurity: [
+        "default-src 'none'",
+        "style-src 'unsafe-inline' 'self'",
+        "script-src 'self'",
+        "child-src 'self' cryptpad.fr *.cryptpad.fr",
+        "font-src 'self'",
+        "connect-src 'self' wss://cryptpad.fr",
+        // data: is used by codemirror
+        "img-src 'self' data:",
+    ].join('; '),
+
+    // CKEditor requires significantly more lax content security policy in order to function.
+    padContentSecurity: [
+        "default-src 'none'",
+        "style-src 'unsafe-inline' 'self'",
+        // Unsafe inline, unsafe-eval are needed for ckeditor :(
+        "script-src 'self' 'unsafe-eval' 'unsafe-inline'",
+        "child-src 'self' cryptpad.fr *.cryptpad.fr",
+        "font-src 'self'",
+        "connect-src 'self' wss://cryptpad.fr",
+        // (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
+        "img-src *",
+    ].join('; '),

    httpPort: 3000,

--- a/customize.dist/about.html
+++ b/customize.dist/about.html
@ -1,5 +1,6 @@
 <!DOCTYPE html>
 <html class="cp">
+<!-- If this file is not called customize.dist/src/template.html, it is generated -->
 <head>
    <title data-localization="main_title">Cryptpad: Zero Knowledge, Collaborative Real Time Editing</title>
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
@ -9,16 +10,8 @@
    <link rel="icon" type="image/png" href="/customize/main-favicon.png" id="favicon"/>
    <script src="/bower_components/jquery/dist/jquery.min.js"></script>
    <link rel="stylesheet" href="/bower_components/bootstrap/dist/css/bootstrap.min.css">
-        <script data-main="/customize/main" src="/bower_components/requirejs/require.js"></script>
+        <script data-bootload="/customize/main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>

-
-    <script src="/bower_components/requirejs/require.js"></script>
-    <script>
-        require.config({
-            waitSeconds: 60,
-            urlArgs: "bust=1.1.0",
-        });
-    </script>
 </head>
 <body class="html">
    <div id="cryptpadTopBar">
@ -126,4 +119,3 @@

 </body>
 </html>
-
--- a/customize.dist/contact.html
+++ b/customize.dist/contact.html
@ -1,5 +1,6 @@
 <!DOCTYPE html>
 <html class="cp">
+<!-- If this file is not called customize.dist/src/template.html, it is generated -->
 <head>
    <title data-localization="main_title">Cryptpad: Zero Knowledge, Collaborative Real Time Editing</title>
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
@ -9,16 +10,8 @@
    <link rel="icon" type="image/png" href="/customize/main-favicon.png" id="favicon"/>
    <script src="/bower_components/jquery/dist/jquery.min.js"></script>
    <link rel="stylesheet" href="/bower_components/bootstrap/dist/css/bootstrap.min.css">
-        <script data-main="/customize/main" src="/bower_components/requirejs/require.js"></script>
+        <script data-bootload="/customize/main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>

-
-    <script src="/bower_components/requirejs/require.js"></script>
-    <script>
-        require.config({
-            waitSeconds: 60,
-            urlArgs: "bust=1.1.0",
-        });
-    </script>
 </head>
 <body class="html">
    <div id="cryptpadTopBar">
@ -123,4 +116,3 @@

 </body>
 </html>
-
--- a/customize.dist/index.html
+++ b/customize.dist/index.html
@ -1,5 +1,6 @@
 <!DOCTYPE html>
 <html class="cp">
+<!-- If this file is not called customize.dist/src/template.html, it is generated -->
 <head>
    <title data-localization="main_title">Cryptpad: Zero Knowledge, Collaborative Real Time Editing</title>
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
@ -9,16 +10,8 @@
    <link rel="icon" type="image/png" href="/customize/main-favicon.png" id="favicon"/>
    <script src="/bower_components/jquery/dist/jquery.min.js"></script>
    <link rel="stylesheet" href="/bower_components/bootstrap/dist/css/bootstrap.min.css">
-        <script data-main="/customize/main" src="/bower_components/requirejs/require.js"></script>
+        <script data-bootload="/customize/main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>

-
-    <script src="/bower_components/requirejs/require.js"></script>
-    <script>
-        require.config({
-            waitSeconds: 60,
-            urlArgs: "bust=1.1.0",
-        });
-    </script>
 </head>
 <body class="html">
    <div id="cryptpadTopBar">
@ -245,4 +238,3 @@

 </body>
 </html>
-
--- a/customize.dist/privacy.html
+++ b/customize.dist/privacy.html
@ -1,5 +1,6 @@
 <!DOCTYPE html>
 <html class="cp">
+<!-- If this file is not called customize.dist/src/template.html, it is generated -->
 <head>
    <title data-localization="main_title">Cryptpad: Zero Knowledge, Collaborative Real Time Editing</title>
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
@ -9,16 +10,8 @@
    <link rel="icon" type="image/png" href="/customize/main-favicon.png" id="favicon"/>
    <script src="/bower_components/jquery/dist/jquery.min.js"></script>
    <link rel="stylesheet" href="/bower_components/bootstrap/dist/css/bootstrap.min.css">
-        <script data-main="/customize/main" src="/bower_components/requirejs/require.js"></script>
+        <script data-bootload="/customize/main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>

-
-    <script src="/bower_components/requirejs/require.js"></script>
-    <script>
-        require.config({
-            waitSeconds: 60,
-            urlArgs: "bust=1.1.0",
-        });
-    </script>
 </head>
 <body class="html">
    <div id="cryptpadTopBar">
@ -144,4 +137,3 @@

 </body>
 </html>
-
--- a/customize.dist/src/fragments/appscript.html
+++ b/customize.dist/src/fragments/appscript.html
@ -1,3 +1,2 @@
    <link rel="stylesheet" type="text/css" href="main.css" />
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
-
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
--- a/customize.dist/src/fragments/empty.html
+++ b/customize.dist/src/fragments/empty.html
@ -1,2 +1 @@
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
    <div id="container"></div>
--- a/customize.dist/src/fragments/script.html
+++ b/customize.dist/src/fragments/script.html
@ -1,2 +1 @@
-    <script data-main="/customize/main" src="/bower_components/requirejs/require.js"></script>
-
+    <script data-bootload="/customize/main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
--- a/customize.dist/src/template.html
+++ b/customize.dist/src/template.html
@ -1,5 +1,6 @@
 <!DOCTYPE html>
 <html class="cp">
+<!-- If this file is not called customize.dist/src/template.html, it is generated -->
 <head>
    <title data-localization="main_title">Cryptpad: Zero Knowledge, Collaborative Real Time Editing</title>
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
@ -10,13 +11,6 @@
    <script src="/bower_components/jquery/dist/jquery.min.js"></script>
    <link rel="stylesheet" href="/bower_components/bootstrap/dist/css/bootstrap.min.css">
    {{script}}
-    <script src="/bower_components/requirejs/require.js"></script>
-    <script>
-        require.config({
-            waitSeconds: 60,
-            urlArgs: "bust=1.1.0",
-        });
-    </script>
 </head>
 <body class="html">
    {{topbar}}
@ -30,4 +24,3 @@
    {{footer}}
 </body>
 </html>
-
--- a/customize.dist/terms.html
+++ b/customize.dist/terms.html
@ -1,5 +1,6 @@
 <!DOCTYPE html>
 <html class="cp">
+<!-- If this file is not called customize.dist/src/template.html, it is generated -->
 <head>
    <title data-localization="main_title">Cryptpad: Zero Knowledge, Collaborative Real Time Editing</title>
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
@ -9,16 +10,8 @@
    <link rel="icon" type="image/png" href="/customize/main-favicon.png" id="favicon"/>
    <script src="/bower_components/jquery/dist/jquery.min.js"></script>
    <link rel="stylesheet" href="/bower_components/bootstrap/dist/css/bootstrap.min.css">
-        <script data-main="/customize/main" src="/bower_components/requirejs/require.js"></script>
+        <script data-bootload="/customize/main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>

-
-    <script src="/bower_components/requirejs/require.js"></script>
-    <script>
-        require.config({
-            waitSeconds: 60,
-            urlArgs: "bust=1.1.0",
-        });
-    </script>
 </head>
 <body class="html">
    <div id="cryptpadTopBar">
@ -127,4 +120,3 @@

 </body>
 </html>
-
--- a/server.js
+++ b/server.js
@ -7,6 +7,7 @@ var Https = require('https');
 var Fs = require('fs');
 var WebSocketServer = require('ws').Server;
 var NetfluxSrv = require('./NetfluxWebsocketSrv');
+var Package = require('./package.json');

 var config = require('./config');
 var websocketPort = config.websocketPort || config.httpPort;
@ -19,20 +20,31 @@ var app = Express();

 var httpsOpts;

+const clone = (x) => (JSON.parse(JSON.stringify(x)));
+
 var setHeaders = (function () {
    if (typeof(config.httpHeaders) !== 'object') { return function () {}; }

-    var headers = JSON.parse(JSON.stringify(config.httpHeaders));
+    const headers = clone(config.httpHeaders);
+    if (config.contentSecurity) {
+        headers['Content-Security-Policy'] = clone(config.contentSecurity);
+    }
+    const padHeaders = clone(headers);
+    if (config.padContentSecurity) {
+        padHeaders['Content-Security-Policy'] = clone(config.padContentSecurity);
+    }
    if (Object.keys(headers).length) {
-        return function (res) {
-            for (var header in headers) { res.setHeader(header, headers[header]); }
+        return function (req, res) {
+            const h = /^\/pad\/inner\.html.*/.test(req.url) ? padHeaders : headers;
+            for (let header in h) { res.setHeader(header, h[header]); }
        };
    }
    return function () {};
 }());

 app.use(function (req, res, next) {
-    setHeaders(res);
+    setHeaders(req, res);
+    if (/[\?\&]ver=[^\/]+$/.test(req.url)) { res.setHeader("Cache-Control", "max-age=31536000"); }
    next();
 });

@ -82,6 +94,10 @@ app.get('/api/config', function(req, res){
    var host = req.headers.host.replace(/\:[0-9]+/, '');
    res.setHeader('Content-Type', 'text/javascript');
    res.send('define(' + JSON.stringify({
+        requireConf: {
+            waitSeconds: 60,
+            urlArgs: 'ver=' + Package.version
+        },
        websocketPath: config.useExternalWebsocket ? undefined : config.websocketPath,
        websocketURL:'ws' + ((useSecureWebsockets) ? 's' : '') + '://' + host + ':' +
            websocketPort + '/cryptpad_websocket',
--- a/www/code/index.html
+++ b/www/code/index.html
@ -4,13 +4,7 @@
    <title>CryptPad</title>
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
-    <script>
-        require.config({
-            waitSeconds: 60,
-            urlArgs: "bust=1.1.0",
-        });
-    </script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
    <link rel="icon" type="image/png"
        href="/customize/main-favicon.png"

@ -49,11 +43,7 @@
 </head>
 <body>
    <div id="iframe-container">
-        <iframe id="pad-iframe"></iframe>
-        <script>
-            document.getElementById('pad-iframe').setAttribute('src', 'inner.html?' + new Date().getTime());
-        </script>
+        <iframe id="pad-iframe"></iframe><script src="/common/noscriptfix.js"></script>
    </div>
 </body>
 </html>
-
--- a/www/common/boot.js
+++ b/www/common/boot.js
@ -0,0 +1,5 @@
+// Stage 0, this gets cached which means we can't change it. boot2.js is changable.
+define(['/api/config?cb=' + (+new Date()).toString(16)], function (Config) {
+    if (Config.requireConf) { require.config(Config.requireConf); }
+    require(['/common/boot2.js']);
+});
--- a/www/common/boot2.js
+++ b/www/common/boot2.js
@ -0,0 +1,6 @@
+// This is stage 1, it can be changed but you must bump the version of the project.
+define([], function () {
+    // fix up locations so that relative urls work.
+    require.config({ baseUrl: window.location.pathname });
+    require([document.querySelector('script[data-bootload]').getAttribute('data-bootload')]);
+});
--- a/www/common/cryptpad-common.js
+++ b/www/common/cryptpad-common.js
@ -1,5 +1,5 @@
 define([
-    '/api/config?cb=' + Math.random().toString(16).slice(2),
+    '/api/config',
    '/customize/messages.js?app=' + window.location.pathname.split('/').filter(function (x) { return x; }).join('.'),
    '/customize/fsStore.js',
    '/bower_components/chainpad-crypto/crypto.js?v=0.1.5',
--- a/www/common/noscriptfix.js
+++ b/www/common/noscriptfix.js
@ -0,0 +1,3 @@
+// Fix for noscript bugs when caching iframe content.
+// Caution, this file will get cached, you must change the name if you change it.
+document.getElementById('pad-iframe').setAttribute('src', 'inner.html?cb=' + (+new Date()));
--- a/www/drive/index.html
+++ b/www/drive/index.html
@ -10,13 +10,7 @@
        data-alt-favicon="/customize/alt-favicon.png"
        id="favicon" />
    <link rel="stylesheet" href="/customize/main.css" />
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
-    <script>
-        require.config({
-            waitSeconds: 60,
-            urlArgs: "bust=1.1.0",
-        });
-    </script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
    <style>
        html, body {
            margin: 0px;
@ -38,10 +32,6 @@
    </style>
 </head>
 <body>
-    <iframe id="pad-iframe"></iframe>
-    <script>
-        document.getElementById('pad-iframe').setAttribute('src', 'inner.html?' + new Date().getTime());
-    </script>
+    <iframe id="pad-iframe"></iframe><script src="/common/noscriptfix.js"></script>
 </body>
 </html>
-
--- a/www/drive/main.js
+++ b/www/drive/main.js
@ -18,7 +18,6 @@ define([

    // Use `$(function () {});` to make sure the html is loaded before doing anything else
    $(function () {
-
    var $iframe = $('#pad-iframe').contents();
    var ifrw = $('#pad-iframe')[0].contentWindow;

@ -2116,6 +2115,5 @@ define([
            onConnectError();
        }
    });
-
    });
 });
--- a/www/examples/board/index.html
+++ b/www/examples/board/index.html
@ -10,12 +10,7 @@
        data-alt-favicon="/customize/alt-favicon.png"
        id="favicon" />
    <link rel="stylesheet" href="/customize/main.css" />
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
-    <script>
-        require.config({
-            waitSeconds: 60,
-        });
-    </script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
    <style>
        html, body {
            width: 100;
@ -100,4 +95,3 @@
    <div id="lists"></div>
    <span id="create-list">Add List</span>
 </div>
-
--- a/www/examples/canvas/index.html
+++ b/www/examples/canvas/index.html
@ -3,7 +3,7 @@
 <head>
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
    <style>
        html, body{
            padding: 0px;
@ -76,4 +76,3 @@

 </body>
 </html>
-
--- a/www/examples/form/index.html
+++ b/www/examples/form/index.html
@ -3,7 +3,7 @@
 <head>
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
    <style>
        html, body{
            padding: 0px;
@ -76,4 +76,3 @@

 </body>
 </html>
-
--- a/www/examples/hack/index.html
+++ b/www/examples/hack/index.html
@ -3,7 +3,7 @@
 <head>
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
    <style>
        html, body{
            padding: 0px;
@ -75,4 +75,3 @@
    </div>
 </body>
 </html>
-
--- a/www/examples/json/index.html
+++ b/www/examples/json/index.html
@ -3,7 +3,7 @@
 <head>
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
    <style>
        html, body{
            padding: 0px;
@ -48,4 +48,3 @@
    </div>
 </body>
 </html>
-
--- a/www/examples/read/index.html
+++ b/www/examples/read/index.html
@ -2,12 +2,7 @@
 <html>
 <head>
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
-    <script>
-        require.config({
-            waitSeconds: 60,
-        });
-    </script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
    <link rel="icon" type="image/png"
        href="/customize/main-favicon.png"

--- a/www/examples/render/index.html
+++ b/www/examples/render/index.html
@ -4,7 +4,7 @@
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
    <link rel="stylesheet" href="/common/render-sd.css" />
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
    <style>
        html, body {
            padding: 0;
--- a/www/examples/style/index.html
+++ b/www/examples/style/index.html
@ -3,7 +3,7 @@
    <head>
        <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
        <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
-        <script data-main="main" src="/bower_components/requirejs/require.js"></script>
+        <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
        <style></style>
    </head>
    <body>
@ -58,4 +58,3 @@

 </body>
 </html>
-
--- a/www/examples/text/index.html
+++ b/www/examples/text/index.html
@ -3,7 +3,7 @@
 <head>
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
    <style>
        html, body{
            padding: 0px;
@ -36,4 +36,3 @@
    <textarea></textarea>
 </body>
 </html>
-
--- a/www/examples/upload/index.html
+++ b/www/examples/upload/index.html
@ -2,12 +2,7 @@
 <html>
 <head>
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
-    <script>
-        require.config({
-            waitSeconds: 60,
-        });
-    </script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
    <link rel="icon" type="image/png"
        href="/customize/main-favicon.png"

@ -31,4 +26,3 @@ pre {
 <h1>Upload</h1>

 <input type="file">
-
--- a/www/login/index.html
+++ b/www/login/index.html
@ -9,14 +9,7 @@
    <link rel="icon" type="image/png" href="/customize/main-favicon.png" id="favicon"/>
    <script src="/bower_components/jquery/dist/jquery.min.js"></script>
    <link rel="stylesheet" href="/bower_components/bootstrap/dist/css/bootstrap.min.css">
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
-    <script src="/bower_components/requirejs/require.js"></script>
-    <script>
-        require.config({
-            waitSeconds: 60,
-            urlArgs: "bust=1.1.0",
-        });
-    </script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
 </head>
 <body class="html">
    <div id="cryptpadTopBar">
@ -77,4 +70,3 @@

 </body>
 </html>
-
--- a/www/pad/index.html
+++ b/www/pad/index.html
@ -10,13 +10,7 @@
        data-alt-favicon="/customize/alt-favicon.png"
        id="favicon" />
    <link rel="stylesheet" href="/customize/main.css" />
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
-    <script>
-        require.config({
-            waitSeconds: 60,
-            urlArgs: "bust=1.1.0",
-        });
-    </script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
    <style>
        html, body {
            margin: 0px;
@ -61,10 +55,6 @@
    </style>
 </head>
 <body>
-    <iframe id="pad-iframe"></iframe>
-    <script>
-        document.getElementById('pad-iframe').setAttribute('src', 'inner.html?' + new Date().getTime());
-    </script>
+    <iframe id="pad-iframe"></iframe><script src="/common/noscriptfix.js"></script>
 </body>
 </html>
-
--- a/www/poll/index.html
+++ b/www/poll/index.html
@ -11,11 +11,7 @@
        id="favicon" />
    <link rel="stylesheet" href="/bower_components/components-font-awesome/css/font-awesome.min.css">
    <link rel="stylesheet" href="/customize/main.css" />
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
-    <script> require.config({
-        waitSeconds: 60,
-        urlArgs: "bust=1.1.0",
-    }); </script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
    <style>
        html, body {
            width: 100%;
--- a/www/register/index.html
+++ b/www/register/index.html
@ -5,15 +5,9 @@
    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
    <title>Cryptpad: login</title>
    <link rel="stylesheet" href="/bower_components/components-font-awesome/css/font-awesome.min.css">
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
    <link rel="stylesheet" href="/customize/main.css" />
    <link rel="stylesheet" href="/bower_components/bootstrap/dist/css/bootstrap.min.css">
-    <script>
-        require.config({
-            waitSeconds: 60,
-            urlArgs: "bust=1.1.0",
-        });
-    </script>
 </head>
 <body class="html">
    <div id="cryptpadTopBar">
@ -89,4 +83,3 @@

 </body>
 </html>
-
--- a/www/settings/index.html
+++ b/www/settings/index.html
@ -1,5 +1,6 @@
 <!DOCTYPE html>
 <html class="cp">
+<!-- If this file is not called customize.dist/src/template.html, it is generated -->
 <head>
    <title data-localization="main_title">Cryptpad: Zero Knowledge, Collaborative Real Time Editing</title>
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
@ -10,16 +11,8 @@
    <script src="/bower_components/jquery/dist/jquery.min.js"></script>
    <link rel="stylesheet" href="/bower_components/bootstrap/dist/css/bootstrap.min.css">
        <link rel="stylesheet" type="text/css" href="main.css" />
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>

-
-    <script src="/bower_components/requirejs/require.js"></script>
-    <script>
-        require.config({
-            waitSeconds: 60,
-            urlArgs: "bust=1.1.0",
-        });
-    </script>
 </head>
 <body class="html">
    <div id="cryptpadTopBar">
@ -68,8 +61,7 @@


    <div id="mainBlock" class="hidden">
-        <script data-main="main" src="/bower_components/requirejs/require.js"></script>
-    <div id="container"></div>
+        <div id="container"></div>

    </div>

@ -118,4 +110,3 @@

 </body>
 </html>
-
--- a/www/slide/index.html
+++ b/www/slide/index.html
@ -3,13 +3,7 @@
 <head>
    <title>CryptPad</title>
    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
-    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
-    <script>
-        require.config({
-            waitSeconds: 60,
-            urlArgs: "bust=1.1.0",
-        });
-    </script>
+    <script data-bootload="main.js" data-main="/common/boot.js" src="/bower_components/requirejs/require.js"></script>
    <link rel="icon" type="image/png"
        href="/customize/main-favicon.png"

@ -52,11 +46,7 @@
 </head>
 <body>
    <div id="iframe-container">
-        <iframe id="pad-iframe"></iframe>
-        <script>
-            document.getElementById('pad-iframe').setAttribute('src', 'inner.html?' + new Date().getTime());
-        </script>
+        <iframe id="pad-iframe"></iframe><script src="/common/noscriptfix.js"></script>
    </div>
 </body>
 </html>
-