Merge branch 'pad2' of github.com:xwiki-labs/cryptpad into pad2

pull/1/head
yflory 7 years ago
commit d88704fb50

@ -17,7 +17,8 @@ module.exports = {
httpHeaders: {
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff"
"X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Origin": "*"
},
contentSecurity: [
@ -45,8 +46,8 @@ module.exports = {
// data: is used by codemirror
"img-src 'self' data: blob:",
// for accounts.cryptpad.fr authentication
"frame-ancestors 'self' accounts.cryptpad.fr",
// for accounts.cryptpad.fr authentication and pad2 cross-domain iframe sandbox
"frame-ancestors *",
].join('; '),
// CKEditor requires significantly more lax content security policy in order to function.
@ -71,6 +72,13 @@ module.exports = {
httpPort: 3000,
// This is for allowing the cross-domain iframe to function when developing
httpSafePort: 3001,
// This is for deployment in production, CryptPad uses a separate origin (domain) to host the
// cross-domain iframe. It can simply host the same content as CryptPad.
// httpSafeOrigin: "https://some-other-domain.xyz",
/* your server's websocket url is configurable
* (default: '/cryptpad_websocket')
*

@ -38,7 +38,8 @@ var setHeaders = (function () {
if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) {
// backward compat for those who do not merge the new version of the config
// when updating. This prevents endless spinner if someone clicks donate.
headers['Content-Security-Policy'] += "frame-ancestors 'self' accounts.cryptpad.fr;";
// It also fixes the cross-domain iframe.
headers['Content-Security-Policy'] += "frame-ancestors *;";
}
}
const padHeaders = clone(headers);
@ -47,7 +48,7 @@ var setHeaders = (function () {
}
if (Object.keys(headers).length) {
return function (req, res) {
const h = /^\/pad\/inner\.html.*/.test(req.url) ? padHeaders : headers;
const h = /^\/pad(2)?\/inner\.html.*/.test(req.url) ? padHeaders : headers;
for (let header in h) { res.setHeader(header, h[header]); }
};
}
@ -124,18 +125,29 @@ if (config.privKeyAndCertFiles) {
app.get('/api/config', function(req, res){
var host = req.headers.host.replace(/\:[0-9]+/, '');
res.setHeader('Content-Type', 'text/javascript');
res.send('define(' + JSON.stringify({
requireConf: {
waitSeconds: 60,
urlArgs: 'ver=' + Package.version + (DEV_MODE? '-' + (+new Date()): ''),
},
removeDonateButton: (config.removeDonateButton === true),
allowSubscriptions: (config.allowSubscriptions === true),
websocketPath: config.useExternalWebsocket ? undefined : config.websocketPath,
websocketURL:'ws' + ((useSecureWebsockets) ? 's' : '') + '://' + host + ':' +
websocketPort + '/cryptpad_websocket',
}) + ');');
res.send('define(function(){\n' + [
'var obj = ' + JSON.stringify({
requireConf: {
waitSeconds: 60,
urlArgs: 'ver=' + Package.version + (DEV_MODE? '-' + (+new Date()): ''),
},
removeDonateButton: (config.removeDonateButton === true),
allowSubscriptions: (config.allowSubscriptions === true),
websocketPath: config.useExternalWebsocket ? undefined : config.websocketPath,
websocketURL:'ws' + ((useSecureWebsockets) ? 's' : '') + '://' + host + ':' +
websocketPort + '/cryptpad_websocket',
}, null, '\t'),
'obj.httpSafeOrigin = ' + (function () {
if (config.httpSafeOrigin) { return config.httpSafeOrigin; }
if (config.httpSafePort) {
return "(function () { return window.location.origin.replace(/\:[0-9]+$/, ':" +
config.httpSafePort + "'); }())";
}
return 'window.location.origin';
}()),
'return obj',
'});'
].join(';\n'));
});
var httpServer = httpsOpts ? Https.createServer(httpsOpts, app) : Http.createServer(app);
@ -149,7 +161,9 @@ httpServer.listen(config.httpPort,config.httpAddress,function(){
console.log('\n[%s] server available http://%s%s', new Date().toISOString(), hostName, ps);
});
Http.createServer(app).listen(config.httpPort+1, config.httpAddress);
if (config.httpSafePort) {
Http.createServer(app).listen(config.httpSafePort, config.httpAddress);
}
var wsConfig = { server: httpServer };

@ -82,7 +82,7 @@ define([], function () {
},
getMetadata: function () {
checkUpdate(false);
return metadataObj;
return Object.freeze(JSON.parse(JSON.stringify(metadataObj)));
},
getMetadataLazy: function () {
return metadataLazyObj;

@ -1,3 +0,0 @@
// Fix for noscript bugs when caching iframe content.
// Caution, this file will get cached, you must change the name if you change it.
document.getElementById('sbox-iframe').setAttribute('src', 'http://localhost:3001/pad2/inner.html?cb=' + (+new Date()));

@ -27,5 +27,4 @@
</style>
</head>
<body>
<iframe id="sbox-iframe"></iframe><script src="/common/sframe-noscriptfix.js"></script>
<iframe id="sbox-iframe"></iframe>

@ -1,17 +1,20 @@
define([
'/api/config',
'/common/sframe-channel.js',
'jquery',
'/common/sframe-chainpad-netflux-outer.js',
'/bower_components/nthen/index.js',
'/common/cryptpad-common.js',
'/bower_components/chainpad-crypto/crypto.js'
], function (SFrameChannel, $, CpNfOuter, nThen, Cryptpad, Crypto) {
], function (ApiConfig, SFrameChannel, $, CpNfOuter, nThen, Cryptpad, Crypto) {
console.log('xxx');
var sframeChan;
nThen(function (waitFor) {
$(waitFor());
}).nThen(function (waitFor) {
$('#sbox-iframe').attr('src',
ApiConfig.httpSafeOrigin + '/pad2/inner.html?' + ApiConfig.requireConf.urlArgs);
SFrameChannel.create($('#sbox-iframe')[0].contentWindow, waitFor(function (sfc) {
sframeChan = sfc;
console.log('sframe initialized');

Loading…
Cancel
Save