Merge branch 'fix-printing' into staging

2020-10-27 08:13:58 +05:30 · 2020-10-27 08:13:58 +05:30 · d95b0954f9
parent a1ee5943b4 a2b79d84b8
commit d95b0954f9
3 changed files with 18 additions and 6 deletions
--- a/docs/example.nginx.conf
+++ b/docs/example.nginx.conf
@ -57,9 +57,12 @@ server {
    add_header Access-Control-Allow-Origin "*";
    # add_header X-Frame-Options "SAMEORIGIN";

+    set $coop '';
+    if ($uri ~ ^\/sheet\/.*$) { set $coop 'same-origin'; }
+
    # Enable SharedArrayBuffer in Firefox (for .xlsx export)
    add_header Cross-Origin-Resource-Policy cross-origin;
-    add_header Cross-Origin-Opener-Policy same-origin;
+    add_header Cross-Origin-Opener-Policy $coop;
    add_header Cross-Origin-Embedder-Policy require-corp;

    # Insert the path to your CryptPad repository root here
--- a/lib/defaults.js
+++ b/lib/defaults.js
@ -48,9 +48,6 @@ Default.httpHeaders = function () {
        "X-XSS-Protection": "1; mode=block",
        "X-Content-Type-Options": "nosniff",
        "Access-Control-Allow-Origin": "*",
-        "Cross-Origin-Resource-Policy": 'cross-origin',
-        "Cross-Origin-Opener-Policy": 'same-origin',
-        "Cross-Origin-Embedder-Policy": 'require-corp',
    };
 };

--- a/server.js
+++ b/server.js
@ -60,6 +60,10 @@ var app = Express();
    }
 }());

+var applyHeaderMap = function (res, map) {
+    for (let header in map) { res.setHeader(header, map[header]); }
+};
+
 var setHeaders = (function () {
    // load the default http headers unless the admin has provided their own via the config file
    var headers;
@ -96,14 +100,21 @@ var setHeaders = (function () {
    }
    if (Object.keys(headers).length) {
        return function (req, res) {
+            // apply a bunch of cross-origin headers for XLSX export in FF and printing elsewhere
+            applyHeaderMap(res, {
+                "Cross-Origin-Resource-Policy": 'cross-origin',
+                "Cross-Origin-Opener-Policy": /^\/sheet\//.test(req.url)? 'same-origin': '',
+                "Cross-Origin-Embedder-Policy": 'require-corp',
+            });
+
+            // targeted CSP, generic policies, maybe custom headers
            const h = [
-                    ///^\/pad\/inner\.html.*/,
                    /^\/common\/onlyoffice\/.*\/index\.html.*/,
                    /^\/(sheet|ooslide|oodoc)\/inner\.html.*/,
                ].some((regex) => {
                    return regex.test(req.url);
                }) ? padHeaders : headers;
-            for (let header in h) { res.setHeader(header, h[header]); }
+            applyHeaderMap(res, h);
        };
    }
    return function () {};
@ -139,6 +150,7 @@ app.use(function (req, res, next) {

    setHeaders(req, res);
    if (/[\?\&]ver=[^\/]+$/.test(req.url)) { res.setHeader("Cache-Control", "max-age=31536000"); }
+    else { res.setHeader("Cache-Control", "no-cache"); }
    next();
 });