From 3b05d24f107aee0cabd20344c7f7f36a4c24832c Mon Sep 17 00:00:00 2001 From: ansuz Date: Thu, 2 Apr 2020 17:46:29 -0400 Subject: [PATCH 1/2] wip csp issue --- server.js | 13 ++++++++----- www/common/sframe-app-outer.js | 4 ++++ 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/server.js b/server.js index 9b82d7c3c..7ae779d13 100644 --- a/server.js +++ b/server.js @@ -42,7 +42,7 @@ if (process.env.PACKAGE) { throw new Error("No 'httpUnsafeOrigin' provided"); } - config.httpUnsafeOrigin = config.httpUnsafeOrigin.trim(); + config.httpUnsafeOrigin = config.httpUnsafeOrigin.trim().replace(/\/$/, ''); // fall back to listening on a local address // if httpAddress is not a string @@ -125,12 +125,15 @@ var setHeaders = (function () { if (Object.keys(headers).length) { return function (req, res) { const h = [ - /^\/pad\/inner\.html.*/, + /^\/+pad\/inner\.html.*/, /^\/common\/onlyoffice\/.*\/index\.html.*/, - /^\/(sheet|ooslide|oodoc)\/inner\.html.*/, + /^\/+(sheet|ooslide|oodoc)\/in.*\.html.*/, ].some((regex) => { - return regex.test(req.url) - }) ? padHeaders : headers; + if (regex.test('' + req.url)) { + console.log('CSP MATCH: [%s] <= [%s]', regex, req.url); + return true; + } + }) ? padHeaders: headers; for (let header in h) { res.setHeader(header, h[header]); } }; } diff --git a/www/common/sframe-app-outer.js b/www/common/sframe-app-outer.js index d85266ca7..2d5948fd8 100644 --- a/www/common/sframe-app-outer.js +++ b/www/common/sframe-app-outer.js @@ -31,6 +31,10 @@ define([ ApiConfig.httpSafeOrigin + window.location.pathname + 'inner.html?' + requireConfig.urlArgs + '#' + encodeURIComponent(JSON.stringify(req))); + console.log(ApiConfig.httpSafeOrigin); + + console.error(document.getElementById('sbox-iframe').getAttribute('src')); + // This is a cheap trick to avoid loading sframe-channel in parallel with the // loading screen setup. var done = waitFor(); From 9fa93172cf445be62f60ea508d4839304333f8a4 Mon Sep 17 00:00:00 2001 From: ansuz Date: Fri, 3 Apr 2020 10:37:23 -0400 Subject: [PATCH 2/2] tolerate trailing slashes in httpSafeDomain --- server.js | 14 ++++++-------- www/common/sframe-app-outer.js | 4 ---- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/server.js b/server.js index 7ae779d13..2e6869b9f 100644 --- a/server.js +++ b/server.js @@ -42,7 +42,8 @@ if (process.env.PACKAGE) { throw new Error("No 'httpUnsafeOrigin' provided"); } - config.httpUnsafeOrigin = config.httpUnsafeOrigin.trim().replace(/\/$/, ''); + config.httpUnsafeOrigin = config.httpUnsafeOrigin.trim(); + config.httpSafeOrigin = config.httpSafeOrigin.trim().replace(/\/$/, ''); // fall back to listening on a local address // if httpAddress is not a string @@ -125,15 +126,12 @@ var setHeaders = (function () { if (Object.keys(headers).length) { return function (req, res) { const h = [ - /^\/+pad\/inner\.html.*/, + /^\/pad\/inner\.html.*/, /^\/common\/onlyoffice\/.*\/index\.html.*/, - /^\/+(sheet|ooslide|oodoc)\/in.*\.html.*/, + /^\/(sheet|ooslide|oodoc)\/inner\.html.*/, ].some((regex) => { - if (regex.test('' + req.url)) { - console.log('CSP MATCH: [%s] <= [%s]', regex, req.url); - return true; - } - }) ? padHeaders: headers; + return regex.test(req.url); + }) ? padHeaders : headers; for (let header in h) { res.setHeader(header, h[header]); } }; } diff --git a/www/common/sframe-app-outer.js b/www/common/sframe-app-outer.js index 2d5948fd8..d85266ca7 100644 --- a/www/common/sframe-app-outer.js +++ b/www/common/sframe-app-outer.js @@ -31,10 +31,6 @@ define([ ApiConfig.httpSafeOrigin + window.location.pathname + 'inner.html?' + requireConfig.urlArgs + '#' + encodeURIComponent(JSON.stringify(req))); - console.log(ApiConfig.httpSafeOrigin); - - console.error(document.getElementById('sbox-iframe').getAttribute('src')); - // This is a cheap trick to avoid loading sframe-channel in parallel with the // loading screen setup. var done = waitFor();