make http headers configurable, update default conf

8 years ago · a2e5c96115
parent 9a733bb360
commit a2e5c96115
2 changed files with 41 additions and 25 deletions
--- a/config.js.dist
+++ b/config.js.dist
@ -8,6 +8,31 @@ module.exports = {
    httpAddress: '::',

    // the port on which your httpd will listen
+
+    /*  Cryptpad can be configured to send customized HTTP Headers
+     *  These settings may vary widely depending on your needs
+     *  Examples are provided below
+     */
+
+/*
+    httpHeaders: {
+        "Content-Security-Policy": [
+            "default-serc 'none'",
+            "style-src 'unsafe-inline' 'self'",
+            "script-src 'self' 'unsafe-eval' 'unsafe-inline'",
+            "child-src 'self' cryptpad.fr *.cryptpad.fr",
+            "font-src 'self'",
+            "connect-src 'self' wss://cryptpad.fr",
+    // data: is used by codemirror, (insecure remote) images are included by
+    // users of the wysiwyg who embed photos in their pads
+            "img-src data: *",
+        ].join('; '),
+
+        "X-XSS-Protection": "1; mode=block",
+        "X-Content-Type-Options": "nosniff",
+        // 'X-Frame-Options': 'SAMEORIGIN',
+    },*/
+
    httpPort: 3000,

    /*  your server's websocket url is configurable
--- a/server.js
+++ b/server.js
@ -19,33 +19,20 @@ var app = Express();

 var httpsOpts;

-app.use(function (req, res, next) {
-    var host = req.headers.host;
-    if (config.websocketPort) {
-        host = host.replace(/\:[0-9]+/, ':' + config.websocketPort);
-    }
-    var proto = (httpsOpts || config.useSecureWebsockets) ? 'wss://' : 'ws://';
-    res.setHeader('Content-Security-Policy', [
-        "default-src 'none'",
-        "style-src 'unsafe-inline' 'self'",
-
-        // No way to load ckeditor without unsafe-eval and unsafe-inline
-        // https://dev.ckeditor.com/ticket/8584
-        "script-src 'self' 'unsafe-eval' 'unsafe-inline'",
-
-        "connect-src 'self' " + proto + host,
-        "child-src 'self'",
-        "font-src 'self'",
-
-        // data: is used by codemirror, (insecure remote) images are included by people making
-        //       documents in ckeditor.
-        "img-src data: *"
-    ].join('; '));
+var setHeaders = (function () {
+    if (typeof(config.httpHeaders) !== 'object') { return function () {}; }

-    res.setHeader('X-XSS-Protection', '1; mode=block');
-    res.setHeader('X-Content-Type-Options', 'nosniff');
-    res.setHeader('X-Frame-Options', 'SAMEORIGIN');
+    var headers = JSON.parse(JSON.stringify(config.httpHeaders));
+    if (Object.keys(headers).length) {
+        return function (res) {
+            for (header in headers) { res.setHeader(header, headers[header]); }
+        };
+    }
+    return function () {};
+}());

+app.use(function (req, res, next) {
+    setHeaders(res);
    next();
 });

@ -56,6 +43,10 @@ Fs.exists(__dirname + "/customize", function (e) {
    console.log("Cryptpad is customizable, see customize.dist/readme.md for details");
 });

+// FIXME I think this is a regression caused by a recent PR
+// correct this hack without breaking the contributor's intended behaviour.
+app.get(/\/(privacy|index|terms)\.html/, Express.static(__dirname + '/customize.dist'));
+
 app.use("/customize", Express.static(__dirname + '/customize'));
 app.use("/customize", Express.static(__dirname + '/customize.dist'));
 app.use(/^\/[^\/]*$/, Express.static('customize'));