diff --git a/config.example.js b/config.example.js index 974890cfa..b5ec1717d 100644 --- a/config.example.js +++ b/config.example.js @@ -88,6 +88,28 @@ module.exports = { "img-src * blob:", ].join('; '), + // OnlyOffice requires even more lax content security policy in order to function. + ooContentSecurity: [ + "default-src 'none'", + "style-src 'unsafe-inline' 'self'" + domain, + // Unsafe inline, unsafe-eval are needed for ckeditor :( + "script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain, + "font-src 'self'" + domain, + + /* See above under 'contentSecurity' as to how these values should be + * configured for best effect. + */ + "child-src *", + // IE/Edge + "frame-src *", + + // see the comment above in the 'contentSecurity' section + "connect-src 'self' blob: ws: wss:" + domain, + + // (insecure remote) images are included by users of the wysiwyg who embed photos in their pads + "img-src * blob: data:", + ].join('; '), + httpPort: 3000, // This is for allowing the cross-domain iframe to function when developing diff --git a/server.js b/server.js index 4523ffc67..347140b7c 100644 --- a/server.js +++ b/server.js @@ -75,9 +75,20 @@ var setHeaders = (function () { if (config.padContentSecurity) { padHeaders['Content-Security-Policy'] = clone(config.padContentSecurity); } + const ooHeaders = clone(headers); + if (config.ooContentSecurity) { + ooHeaders['Content-Security-Policy'] = clone(config.ooContentSecurity); + } if (Object.keys(headers).length) { return function (req, res) { - const h = /^\/pad(2)?\/inner\.html.*/.test(req.url) ? padHeaders : headers; + const h = [/^\/pad(2)?\/inner\.html.*/].some((regex) => { + return regex.test(req.url) + }) ? padHeaders : ([ + /^\/sheet\/inner\.html.*/, + /^\/common\/onlyoffice\/.*\/index\.html.*/ + ].some((regex) => { + return regex.test(req.url) + }) ? ooHeaders : headers); for (let header in h) { res.setHeader(header, h[header]); } }; }