Merge branch 'pad2' of github.com:xwiki-labs/cryptpad into pad2

pull/1/head
yflory 7 years ago
commit d88704fb50

@ -17,7 +17,8 @@ module.exports = {
httpHeaders: { httpHeaders: {
"X-XSS-Protection": "1; mode=block", "X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff" "X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Origin": "*"
}, },
contentSecurity: [ contentSecurity: [
@ -45,8 +46,8 @@ module.exports = {
// data: is used by codemirror // data: is used by codemirror
"img-src 'self' data: blob:", "img-src 'self' data: blob:",
// for accounts.cryptpad.fr authentication // for accounts.cryptpad.fr authentication and pad2 cross-domain iframe sandbox
"frame-ancestors 'self' accounts.cryptpad.fr", "frame-ancestors *",
].join('; '), ].join('; '),
// CKEditor requires significantly more lax content security policy in order to function. // CKEditor requires significantly more lax content security policy in order to function.
@ -71,6 +72,13 @@ module.exports = {
httpPort: 3000, httpPort: 3000,
// This is for allowing the cross-domain iframe to function when developing
httpSafePort: 3001,
// This is for deployment in production, CryptPad uses a separate origin (domain) to host the
// cross-domain iframe. It can simply host the same content as CryptPad.
// httpSafeOrigin: "https://some-other-domain.xyz",
/* your server's websocket url is configurable /* your server's websocket url is configurable
* (default: '/cryptpad_websocket') * (default: '/cryptpad_websocket')
* *

@ -38,7 +38,8 @@ var setHeaders = (function () {
if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) { if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) {
// backward compat for those who do not merge the new version of the config // backward compat for those who do not merge the new version of the config
// when updating. This prevents endless spinner if someone clicks donate. // when updating. This prevents endless spinner if someone clicks donate.
headers['Content-Security-Policy'] += "frame-ancestors 'self' accounts.cryptpad.fr;"; // It also fixes the cross-domain iframe.
headers['Content-Security-Policy'] += "frame-ancestors *;";
} }
} }
const padHeaders = clone(headers); const padHeaders = clone(headers);
@ -47,7 +48,7 @@ var setHeaders = (function () {
} }
if (Object.keys(headers).length) { if (Object.keys(headers).length) {
return function (req, res) { return function (req, res) {
const h = /^\/pad\/inner\.html.*/.test(req.url) ? padHeaders : headers; const h = /^\/pad(2)?\/inner\.html.*/.test(req.url) ? padHeaders : headers;
for (let header in h) { res.setHeader(header, h[header]); } for (let header in h) { res.setHeader(header, h[header]); }
}; };
} }
@ -124,18 +125,29 @@ if (config.privKeyAndCertFiles) {
app.get('/api/config', function(req, res){ app.get('/api/config', function(req, res){
var host = req.headers.host.replace(/\:[0-9]+/, ''); var host = req.headers.host.replace(/\:[0-9]+/, '');
res.setHeader('Content-Type', 'text/javascript'); res.setHeader('Content-Type', 'text/javascript');
res.send('define(' + JSON.stringify({ res.send('define(function(){\n' + [
requireConf: { 'var obj = ' + JSON.stringify({
waitSeconds: 60, requireConf: {
urlArgs: 'ver=' + Package.version + (DEV_MODE? '-' + (+new Date()): ''), waitSeconds: 60,
}, urlArgs: 'ver=' + Package.version + (DEV_MODE? '-' + (+new Date()): ''),
removeDonateButton: (config.removeDonateButton === true), },
allowSubscriptions: (config.allowSubscriptions === true), removeDonateButton: (config.removeDonateButton === true),
allowSubscriptions: (config.allowSubscriptions === true),
websocketPath: config.useExternalWebsocket ? undefined : config.websocketPath, websocketPath: config.useExternalWebsocket ? undefined : config.websocketPath,
websocketURL:'ws' + ((useSecureWebsockets) ? 's' : '') + '://' + host + ':' + websocketURL:'ws' + ((useSecureWebsockets) ? 's' : '') + '://' + host + ':' +
websocketPort + '/cryptpad_websocket', websocketPort + '/cryptpad_websocket',
}) + ');'); }, null, '\t'),
'obj.httpSafeOrigin = ' + (function () {
if (config.httpSafeOrigin) { return config.httpSafeOrigin; }
if (config.httpSafePort) {
return "(function () { return window.location.origin.replace(/\:[0-9]+$/, ':" +
config.httpSafePort + "'); }())";
}
return 'window.location.origin';
}()),
'return obj',
'});'
].join(';\n'));
}); });
var httpServer = httpsOpts ? Https.createServer(httpsOpts, app) : Http.createServer(app); var httpServer = httpsOpts ? Https.createServer(httpsOpts, app) : Http.createServer(app);
@ -149,7 +161,9 @@ httpServer.listen(config.httpPort,config.httpAddress,function(){
console.log('\n[%s] server available http://%s%s', new Date().toISOString(), hostName, ps); console.log('\n[%s] server available http://%s%s', new Date().toISOString(), hostName, ps);
}); });
Http.createServer(app).listen(config.httpPort+1, config.httpAddress); if (config.httpSafePort) {
Http.createServer(app).listen(config.httpSafePort, config.httpAddress);
}
var wsConfig = { server: httpServer }; var wsConfig = { server: httpServer };

@ -82,7 +82,7 @@ define([], function () {
}, },
getMetadata: function () { getMetadata: function () {
checkUpdate(false); checkUpdate(false);
return metadataObj; return Object.freeze(JSON.parse(JSON.stringify(metadataObj)));
}, },
getMetadataLazy: function () { getMetadataLazy: function () {
return metadataLazyObj; return metadataLazyObj;

@ -1,3 +0,0 @@
// Fix for noscript bugs when caching iframe content.
// Caution, this file will get cached, you must change the name if you change it.
document.getElementById('sbox-iframe').setAttribute('src', 'http://localhost:3001/pad2/inner.html?cb=' + (+new Date()));

@ -27,5 +27,4 @@
</style> </style>
</head> </head>
<body> <body>
<iframe id="sbox-iframe"></iframe><script src="/common/sframe-noscriptfix.js"></script> <iframe id="sbox-iframe"></iframe>

@ -1,17 +1,20 @@
define([ define([
'/api/config',
'/common/sframe-channel.js', '/common/sframe-channel.js',
'jquery', 'jquery',
'/common/sframe-chainpad-netflux-outer.js', '/common/sframe-chainpad-netflux-outer.js',
'/bower_components/nthen/index.js', '/bower_components/nthen/index.js',
'/common/cryptpad-common.js', '/common/cryptpad-common.js',
'/bower_components/chainpad-crypto/crypto.js' '/bower_components/chainpad-crypto/crypto.js'
], function (SFrameChannel, $, CpNfOuter, nThen, Cryptpad, Crypto) { ], function (ApiConfig, SFrameChannel, $, CpNfOuter, nThen, Cryptpad, Crypto) {
console.log('xxx'); console.log('xxx');
var sframeChan; var sframeChan;
nThen(function (waitFor) { nThen(function (waitFor) {
$(waitFor()); $(waitFor());
}).nThen(function (waitFor) { }).nThen(function (waitFor) {
$('#sbox-iframe').attr('src',
ApiConfig.httpSafeOrigin + '/pad2/inner.html?' + ApiConfig.requireConf.urlArgs);
SFrameChannel.create($('#sbox-iframe')[0].contentWindow, waitFor(function (sfc) { SFrameChannel.create($('#sbox-iframe')[0].contentWindow, waitFor(function (sfc) {
sframeChan = sfc; sframeChan = sfc;
console.log('sframe initialized'); console.log('sframe initialized');

Loading…
Cancel
Save