|
|
|
@ -19,6 +19,16 @@ server {
|
|
|
|
|
set $main_domain "your-main-domain.com";
|
|
|
|
|
set $sandbox_domain "your-sandbox-domain.com";
|
|
|
|
|
|
|
|
|
|
# By default CryptPad allows remote domains to embed CryptPad documents in iframes.
|
|
|
|
|
# This behaviour can be blocked by changing $allowed_origins from "*" to the
|
|
|
|
|
# sandbox domain, which must be permitted to load content from the main domain
|
|
|
|
|
# in order for CryptPad to work as expected.
|
|
|
|
|
#
|
|
|
|
|
# An example is given below which can be uncommented if you want to block
|
|
|
|
|
# remote sites from including content from your server
|
|
|
|
|
set $allowed_origins "*";
|
|
|
|
|
# set $allowed_origins "https://${sandbox_domain}";
|
|
|
|
|
|
|
|
|
|
# CryptPad's dynamic content (websocket traffic and encrypted blobs)
|
|
|
|
|
# can be served over separate domains. Using dedicated domains (or subdomains)
|
|
|
|
|
# for these purposes allows you to move them to a separate machine at a later date
|
|
|
|
@ -58,7 +68,7 @@ server {
|
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
|
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
|
add_header Access-Control-Allow-Origin "*";
|
|
|
|
|
add_header Access-Control-Allow-Origin "${allowed_origins}";
|
|
|
|
|
# add_header X-Frame-Options "SAMEORIGIN";
|
|
|
|
|
|
|
|
|
|
# Opt out of Google's FLoC Network
|
|
|
|
@ -115,6 +125,9 @@ server {
|
|
|
|
|
# script-src specifies valid sources for javascript, including inline handlers
|
|
|
|
|
set $scriptSrc "'self' resource: https://${main_domain}";
|
|
|
|
|
|
|
|
|
|
# XXX frame-ancestors defines where your cryptpad instance can be embedded...
|
|
|
|
|
set $frameAncestors "https://${main_domain} $https://${sandbox_domain}";
|
|
|
|
|
|
|
|
|
|
set $unsafe 0;
|
|
|
|
|
# the following assets are loaded via the sandbox domain
|
|
|
|
|
# they unfortunately still require exceptions to the sandboxing to work correctly.
|
|
|
|
@ -135,7 +148,7 @@ server {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Finally, set all the rules you composed above.
|
|
|
|
|
add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc;";
|
|
|
|
|
add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
|
|
|
|
|
|
|
|
|
|
# The nodejs process can handle all traffic whether accessed over websocket or as static assets
|
|
|
|
|
# We prefer to serve static content from nginx directly and to leave the API server to handle
|
|
|
|
@ -183,7 +196,7 @@ server {
|
|
|
|
|
# encrypted blobs are immutable and are thus cached for a year
|
|
|
|
|
location ^~ /blob/ {
|
|
|
|
|
if ($request_method = 'OPTIONS') {
|
|
|
|
|
add_header 'Access-Control-Allow-Origin' '*';
|
|
|
|
|
add_header 'Access-Control-Allow-Origin' "${allowed_origins}";
|
|
|
|
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
|
|
|
|
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
|
|
|
|
|
add_header 'Access-Control-Max-Age' 1728000;
|
|
|
|
@ -192,7 +205,7 @@ server {
|
|
|
|
|
return 204;
|
|
|
|
|
}
|
|
|
|
|
add_header Cache-Control max-age=31536000;
|
|
|
|
|
add_header 'Access-Control-Allow-Origin' '*';
|
|
|
|
|
add_header 'Access-Control-Allow-Origin' "${allowed_origins}";
|
|
|
|
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
|
|
|
|
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length';
|
|
|
|
|
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length';
|
|
|
|
|