more WIP checkup

3 years ago · f2ead5b588
parent d736e22c3b
commit f2ead5b588
2 changed files with 10 additions and 8 deletions
--- a/lib/defaults.js
+++ b/lib/defaults.js
@ -16,15 +16,15 @@ Default.commonCSP = function (domain, sandbox) {
         *  it is recommended that you configure these fields to match the
         *  domain which will serve your CryptPad instance.
         */
-        "child-src 'self' blob: " + domain + sandbox,
+        "child-src " + domain, //'self' blob: " + domain + sandbox,
        // IE/Edge
-        "frame-src 'self' blob: " + domain + sandbox,
+        "frame-src 'self' blob: " /*+ domain*/ + sandbox,

        /*  this allows connections over secure or insecure websockets
            if you are deploying to production, you'll probably want to remove
-            the ws://* directive, and change '*' to your domain
+            the ws://* directive
         */
-        "connect-src 'self' ws: wss: blob: " + domain + sandbox,
+        "connect-src 'self' ws: blob: " + domain + sandbox,

        // data: is used by codemirror
        "img-src 'self' data: blob:" + domain,
@ -32,6 +32,7 @@ Default.commonCSP = function (domain, sandbox) {

        // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
        "frame-ancestors *",
+        "worker-src 'self'" + domain + sandbox,
        ""
    ];
 };
--- a/www/checkup/main.js
+++ b/www/checkup/main.js
@ -993,8 +993,8 @@ define([
                    'blob:',
                    $outer,
                    $sandbox,
-                    /https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted
-                    'wss:', // XXX always accept wss: ???
+                    /https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:',
+                    ///https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted
                ],

                'img-src': ["'self'", 'data:', 'blob:', $outer],
@ -1030,8 +1030,9 @@ define([
                    'blob:',
                    $outer,
                    $sandbox,
-                    /https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted
-                    'wss:', // XXX always accept wss: ???
+                    /https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:',
+                    ///https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted
+                    //'wss:', // XXX always accept wss: ???
                ],
                'img-src': ["'self'", 'data:', 'blob:', $outer],
                'media-src': ['blob:'],