From a2e5c96115689ef7b1f69c826248565a6e2b3b54 Mon Sep 17 00:00:00 2001 From: ansuz Date: Tue, 18 Oct 2016 11:48:29 +0200 Subject: [PATCH] make http headers configurable, update default conf --- config.js.dist | 25 +++++++++++++++++++++++++ server.js | 41 ++++++++++++++++------------------------- 2 files changed, 41 insertions(+), 25 deletions(-) diff --git a/config.js.dist b/config.js.dist index 1edfb7f36..76518baea 100644 --- a/config.js.dist +++ b/config.js.dist @@ -8,6 +8,31 @@ module.exports = { httpAddress: '::', // the port on which your httpd will listen + + /* Cryptpad can be configured to send customized HTTP Headers + * These settings may vary widely depending on your needs + * Examples are provided below + */ + +/* + httpHeaders: { + "Content-Security-Policy": [ + "default-serc 'none'", + "style-src 'unsafe-inline' 'self'", + "script-src 'self' 'unsafe-eval' 'unsafe-inline'", + "child-src 'self' cryptpad.fr *.cryptpad.fr", + "font-src 'self'", + "connect-src 'self' wss://cryptpad.fr", + // data: is used by codemirror, (insecure remote) images are included by + // users of the wysiwyg who embed photos in their pads + "img-src data: *", + ].join('; '), + + "X-XSS-Protection": "1; mode=block", + "X-Content-Type-Options": "nosniff", + // 'X-Frame-Options': 'SAMEORIGIN', + },*/ + httpPort: 3000, /* your server's websocket url is configurable diff --git a/server.js b/server.js index bc17cccbf..2e693c5cd 100644 --- a/server.js +++ b/server.js @@ -19,33 +19,20 @@ var app = Express(); var httpsOpts; -app.use(function (req, res, next) { - var host = req.headers.host; - if (config.websocketPort) { - host = host.replace(/\:[0-9]+/, ':' + config.websocketPort); +var setHeaders = (function () { + if (typeof(config.httpHeaders) !== 'object') { return function () {}; } + + var headers = JSON.parse(JSON.stringify(config.httpHeaders)); + if (Object.keys(headers).length) { + return function (res) { + for (header in headers) { res.setHeader(header, headers[header]); } + }; } - var proto = (httpsOpts || config.useSecureWebsockets) ? 'wss://' : 'ws://'; - res.setHeader('Content-Security-Policy', [ - "default-src 'none'", - "style-src 'unsafe-inline' 'self'", - - // No way to load ckeditor without unsafe-eval and unsafe-inline - // https://dev.ckeditor.com/ticket/8584 - "script-src 'self' 'unsafe-eval' 'unsafe-inline'", - - "connect-src 'self' " + proto + host, - "child-src 'self'", - "font-src 'self'", - - // data: is used by codemirror, (insecure remote) images are included by people making - // documents in ckeditor. - "img-src data: *" - ].join('; ')); - - res.setHeader('X-XSS-Protection', '1; mode=block'); - res.setHeader('X-Content-Type-Options', 'nosniff'); - res.setHeader('X-Frame-Options', 'SAMEORIGIN'); + return function () {}; +}()); +app.use(function (req, res, next) { + setHeaders(res); next(); }); @@ -56,6 +43,10 @@ Fs.exists(__dirname + "/customize", function (e) { console.log("Cryptpad is customizable, see customize.dist/readme.md for details"); }); +// FIXME I think this is a regression caused by a recent PR +// correct this hack without breaking the contributor's intended behaviour. +app.get(/\/(privacy|index|terms)\.html/, Express.static(__dirname + '/customize.dist')); + app.use("/customize", Express.static(__dirname + '/customize')); app.use("/customize", Express.static(__dirname + '/customize.dist')); app.use(/^\/[^\/]*$/, Express.static('customize'));