diff --git a/lib/defaults.js b/lib/defaults.js index f9e351c47..a3d5acfe3 100644 --- a/lib/defaults.js +++ b/lib/defaults.js @@ -32,7 +32,7 @@ Default.commonCSP = function (Env) { "media-src blob:", // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox - Env.enableEmbedding? "frame-ancestors *": `frame-ancestors ${domain}${sandbox}`, + Env.enableEmbedding? `frame-ancestors 'self' ${Env.protocol}`: `frame-ancestors ${domain}${sandbox}`, "worker-src 'self'", "" ]; diff --git a/lib/env.js b/lib/env.js index c9975ce93..22d520203 100644 --- a/lib/env.js +++ b/lib/env.js @@ -68,6 +68,8 @@ module.exports.create = function (config) { } const Env = { + protocol: new URL(httpUnsafeOrigin).protocol, + fileHost: config.fileHost, // XXX NO_SANDBOX: NO_SANDBOX, httpSafePort: httpSafePort, diff --git a/www/checkup/main.js b/www/checkup/main.js index 4d4927387..2b8caf7d7 100644 --- a/www/checkup/main.js +++ b/www/checkup/main.js @@ -990,7 +990,7 @@ define([ 'img-src': ["'self'", 'data:', 'blob:', $outer], 'media-src': ['blob:'], - 'frame-ancestors': ApiConfig.enableEmbedding? ['*']: [$outer, $sandbox], + 'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol]: [$outer, $sandbox], 'worker-src': ["'self'"], }); cb(result); @@ -1028,7 +1028,7 @@ define([ ], 'img-src': ["'self'", 'data:', 'blob:', $outer], 'media-src': ['blob:'], - 'frame-ancestors': ApiConfig.enableEmbedding? ['*']: [$outer, $sandbox], + 'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol]: [$outer, $sandbox], 'worker-src': ["'self'"],//, $outer, $sandbox], });