infra
/
cryptpad
2
1
Fork 0
Code Issues Pull Requests Projects Releases 1 Activity

Update CSP for OnlyOffice apps

Browse Source
pull/1/head
yflory 6 years ago
parent 9ca7d504d2
commit d5f98c916b
2 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File

22
config.example.js
Unescape Escape View File

@ -88,6 +88,28 @@ module.exports = {
"img-src * blob:",
].join('; '),
// OnlyOffice requires even more lax content security policy in order to function.
ooContentSecurity: [
"default-src 'none'",
"style-src 'unsafe-inline' 'self'" + domain,
// Unsafe inline, unsafe-eval are needed for ckeditor :(
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
"font-src 'self'" + domain,
/* See above under 'contentSecurity' as to how these values should be
* configured for best effect.
*/
"child-src *",
// IE/Edge
"frame-src *",
// see the comment above in the 'contentSecurity' section
"connect-src 'self' blob: ws: wss:" + domain,
// (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
"img-src * blob: data:",
].join('; '),
httpPort: 3000,
// This is for allowing the cross-domain iframe to function when developing

13
server.js
Unescape Escape View File

@ -75,9 +75,20 @@ var setHeaders = (function () {
if (config.padContentSecurity) {
padHeaders['Content-Security-Policy'] = clone(config.padContentSecurity);
}
const ooHeaders = clone(headers);
if (config.ooContentSecurity) {
ooHeaders['Content-Security-Policy'] = clone(config.ooContentSecurity);
}
if (Object.keys(headers).length) {
return function (req, res) {
const h = /^\/pad(2)?\/inner\.html.*/.test(req.url) ? padHeaders : headers;
const h = [/^\/pad(2)?\/inner\.html.*/].some((regex) => {
return regex.test(req.url)
}) ? padHeaders : ([
/^\/sheet\/inner\.html.*/,
/^\/common\/onlyoffice\/.*\/index\.html.*/
].some((regex) => {
return regex.test(req.url)
}) ? ooHeaders : headers);
for (let header in h) { res.setHeader(header, h[header]); }
};
}

Write Preview
Loading…
Cancel
Save