fix incorrect frame-ancestors and update test

3 years ago · b4323b2c40
parent afd8f70c00
commit b4323b2c40
3 changed files with 5 additions and 3 deletions
--- a/lib/defaults.js
+++ b/lib/defaults.js
@ -32,7 +32,7 @@ Default.commonCSP = function (Env) {
        "media-src blob:",
        // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
-        Env.enableEmbedding?  "frame-ancestors *": `frame-ancestors ${domain}${sandbox}`,
+        Env.enableEmbedding?  `frame-ancestors 'self' ${Env.protocol}`: `frame-ancestors ${domain}${sandbox}`,
        "worker-src 'self'",
        ""
    ];
--- a/lib/env.js
+++ b/lib/env.js
@ -68,6 +68,8 @@ module.exports.create = function (config) {
    }
    const Env = {
        protocol: new URL(httpUnsafeOrigin).protocol,
        fileHost: config.fileHost, // XXX
        NO_SANDBOX: NO_SANDBOX,
        httpSafePort: httpSafePort,
--- a/www/checkup/main.js
+++ b/www/checkup/main.js
@ -990,7 +990,7 @@ define([
                'img-src': ["'self'", 'data:', 'blob:', $outer],
                'media-src': ['blob:'],
-                'frame-ancestors': ApiConfig.enableEmbedding? ['*']: [$outer, $sandbox],
+                'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol]: [$outer, $sandbox],
                'worker-src': ["'self'"],
            });
            cb(result);
@ -1028,7 +1028,7 @@ define([
                ],
                'img-src': ["'self'", 'data:', 'blob:', $outer],
                'media-src': ['blob:'],
-                'frame-ancestors': ApiConfig.enableEmbedding? ['*']: [$outer, $sandbox],
+                'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol]: [$outer, $sandbox],
                'worker-src': ["'self'"],//, $outer, $sandbox],
            });