From b4323b2c402c5b517f0088d0eb2ae23a3f7c44e7 Mon Sep 17 00:00:00 2001
From: ansuz <git@ansuz.xyz>
Date: Fri, 1 Apr 2022 13:15:06 +0530
Subject: [PATCH] fix incorrect frame-ancestors and update test

---
 lib/defaults.js     | 2 +-
 lib/env.js          | 2 ++
 www/checkup/main.js | 4 ++--
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/defaults.js b/lib/defaults.js
index f9e351c47..a3d5acfe3 100644
--- a/lib/defaults.js
+++ b/lib/defaults.js
@@ -32,7 +32,7 @@ Default.commonCSP = function (Env) {
         "media-src blob:",
 
         // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
-        Env.enableEmbedding?  "frame-ancestors *": `frame-ancestors ${domain}${sandbox}`,
+        Env.enableEmbedding?  `frame-ancestors 'self' ${Env.protocol}`: `frame-ancestors ${domain}${sandbox}`,
         "worker-src 'self'",
         ""
     ];
diff --git a/lib/env.js b/lib/env.js
index c9975ce93..22d520203 100644
--- a/lib/env.js
+++ b/lib/env.js
@@ -68,6 +68,8 @@ module.exports.create = function (config) {
     }
 
     const Env = {
+        protocol: new URL(httpUnsafeOrigin).protocol,
+
         fileHost: config.fileHost, // XXX
         NO_SANDBOX: NO_SANDBOX,
         httpSafePort: httpSafePort,
diff --git a/www/checkup/main.js b/www/checkup/main.js
index 4d4927387..2b8caf7d7 100644
--- a/www/checkup/main.js
+++ b/www/checkup/main.js
@@ -990,7 +990,7 @@ define([
 
                 'img-src': ["'self'", 'data:', 'blob:', $outer],
                 'media-src': ['blob:'],
-                'frame-ancestors': ApiConfig.enableEmbedding? ['*']: [$outer, $sandbox],
+                'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol]: [$outer, $sandbox],
                 'worker-src': ["'self'"],
             });
             cb(result);
@@ -1028,7 +1028,7 @@ define([
                 ],
                 'img-src': ["'self'", 'data:', 'blob:', $outer],
                 'media-src': ['blob:'],
-                'frame-ancestors': ApiConfig.enableEmbedding? ['*']: [$outer, $sandbox],
+                'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol]: [$outer, $sandbox],
                 'worker-src': ["'self'"],//, $outer, $sandbox],
             });