align nodejs http headers with example nginx

pull/1/head
ansuz 4 years ago
parent a8f53d04fc
commit a2b79d84b8

@ -57,6 +57,14 @@ server {
add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Origin "*";
# add_header X-Frame-Options "SAMEORIGIN"; # add_header X-Frame-Options "SAMEORIGIN";
set $coop '';
if ($uri ~ ^\/sheet\/.*$) { set $coop 'same-origin'; }
# Enable SharedArrayBuffer in Firefox (for .xlsx export)
add_header Cross-Origin-Resource-Policy cross-origin;
add_header Cross-Origin-Opener-Policy $coop;
add_header Cross-Origin-Embedder-Policy require-corp;
# Insert the path to your CryptPad repository root here # Insert the path to your CryptPad repository root here
root /home/cryptpad/cryptpad; root /home/cryptpad/cryptpad;
index index.html; index index.html;
@ -108,14 +116,6 @@ server {
if ($uri = "/sheet/inner.html") { set $unsafe 1; } if ($uri = "/sheet/inner.html") { set $unsafe 1; }
if ($uri ~ ^\/common\/onlyoffice\/.*\/index\.html.*$) { set $unsafe 1; } if ($uri ~ ^\/common\/onlyoffice\/.*\/index\.html.*$) { set $unsafe 1; }
set $coop '';
if ($uri ~ ^\/sheet\/.*$) { set $coop 'same-origin'; }
# Enable SharedArrayBuffer in Firefox (for .xlsx export)
add_header Cross-Origin-Resource-Policy cross-origin;
add_header Cross-Origin-Opener-Policy $coop;
add_header Cross-Origin-Embedder-Policy require-corp;
# everything except the sandbox domain is a privileged scope, as they might be used to handle keys # everything except the sandbox domain is a privileged scope, as they might be used to handle keys
if ($host != $sandbox_domain) { set $unsafe 0; } if ($host != $sandbox_domain) { set $unsafe 0; }

@ -48,9 +48,6 @@ Default.httpHeaders = function () {
"X-XSS-Protection": "1; mode=block", "X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff", "X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Origin": "*", "Access-Control-Allow-Origin": "*",
"Cross-Origin-Resource-Policy": 'cross-origin',
"Cross-Origin-Opener-Policy": 'same-origin',
"Cross-Origin-Embedder-Policy": 'require-corp',
}; };
}; };

@ -60,6 +60,10 @@ var app = Express();
} }
}()); }());
var applyHeaderMap = function (res, map) {
for (let header in map) { res.setHeader(header, map[header]); }
};
var setHeaders = (function () { var setHeaders = (function () {
// load the default http headers unless the admin has provided their own via the config file // load the default http headers unless the admin has provided their own via the config file
var headers; var headers;
@ -96,14 +100,21 @@ var setHeaders = (function () {
} }
if (Object.keys(headers).length) { if (Object.keys(headers).length) {
return function (req, res) { return function (req, res) {
// apply a bunch of cross-origin headers for XLSX export in FF and printing elsewhere
applyHeaderMap(res, {
"Cross-Origin-Resource-Policy": 'cross-origin',
"Cross-Origin-Opener-Policy": /^\/sheet\//.test(req.url)? 'same-origin': '',
"Cross-Origin-Embedder-Policy": 'require-corp',
});
// targeted CSP, generic policies, maybe custom headers
const h = [ const h = [
///^\/pad\/inner\.html.*/,
/^\/common\/onlyoffice\/.*\/index\.html.*/, /^\/common\/onlyoffice\/.*\/index\.html.*/,
/^\/(sheet|ooslide|oodoc)\/inner\.html.*/, /^\/(sheet|ooslide|oodoc)\/inner\.html.*/,
].some((regex) => { ].some((regex) => {
return regex.test(req.url); return regex.test(req.url);
}) ? padHeaders : headers; }) ? padHeaders : headers;
for (let header in h) { res.setHeader(header, h[header]); } applyHeaderMap(res, h);
}; };
} }
return function () {}; return function () {};
@ -139,6 +150,7 @@ app.use(function (req, res, next) {
setHeaders(req, res); setHeaders(req, res);
if (/[\?\&]ver=[^\/]+$/.test(req.url)) { res.setHeader("Cache-Control", "max-age=31536000"); } if (/[\?\&]ver=[^\/]+$/.test(req.url)) { res.setHeader("Cache-Control", "max-age=31536000"); }
else { res.setHeader("Cache-Control", "no-cache"); }
next(); next();
}); });

Loading…
Cancel
Save