|
|
|
|
@ -106,7 +106,6 @@ var setHeaders = (function () {
|
|
|
|
|
return function (req, res) {
|
|
|
|
|
// apply a bunch of cross-origin headers for XLSX export in FF and printing elsewhere
|
|
|
|
|
applyHeaderMap(res, {
|
|
|
|
|
"Cross-Origin-Resource-Policy": 'cross-origin',
|
|
|
|
|
"Cross-Origin-Opener-Policy": /^\/sheet\//.test(req.url)? 'same-origin': '',
|
|
|
|
|
"Cross-Origin-Embedder-Policy": 'require-corp',
|
|
|
|
|
});
|
|
|
|
|
@ -114,6 +113,10 @@ var setHeaders = (function () {
|
|
|
|
|
// Don't set CSP headers on /api/config because they aren't necessary and they cause problems
|
|
|
|
|
// when duplicated by NGINX in production environments
|
|
|
|
|
if (/^\/api\/(broadcast|config)/.test(req.url)) { return; }
|
|
|
|
|
applyHeaderMap(res, {
|
|
|
|
|
"Cross-Origin-Resource-Policy": 'cross-origin',
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// targeted CSP, generic policies, maybe custom headers
|
|
|
|
|
const h = [
|
|
|
|
|
/^\/common\/onlyoffice\/.*\/index\.html.*/,
|
|
|
|
|
|
ansuz
4 years ago