diff --git a/lib/defaults.js b/lib/defaults.js index f43253ccb..a4a2a847e 100644 --- a/lib/defaults.js +++ b/lib/defaults.js @@ -16,15 +16,15 @@ Default.commonCSP = function (domain, sandbox) { * it is recommended that you configure these fields to match the * domain which will serve your CryptPad instance. */ - "child-src 'self' blob: " + domain + sandbox, + "child-src " + domain, //'self' blob: " + domain + sandbox, // IE/Edge - "frame-src 'self' blob: " + domain + sandbox, + "frame-src 'self' blob: " /*+ domain*/ + sandbox, /* this allows connections over secure or insecure websockets if you are deploying to production, you'll probably want to remove - the ws://* directive, and change '*' to your domain + the ws://* directive */ - "connect-src 'self' ws: wss: blob: " + domain + sandbox, + "connect-src 'self' ws: blob: " + domain + sandbox, // data: is used by codemirror "img-src 'self' data: blob:" + domain, @@ -32,6 +32,7 @@ Default.commonCSP = function (domain, sandbox) { // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox "frame-ancestors *", + "worker-src 'self'" + domain + sandbox, "" ]; }; diff --git a/www/checkup/main.js b/www/checkup/main.js index 6e7346313..9cc645d4d 100644 --- a/www/checkup/main.js +++ b/www/checkup/main.js @@ -993,8 +993,8 @@ define([ 'blob:', $outer, $sandbox, - /https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted - 'wss:', // XXX always accept wss: ??? + /https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:', + ///https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted ], 'img-src': ["'self'", 'data:', 'blob:', $outer], @@ -1030,8 +1030,9 @@ define([ 'blob:', $outer, $sandbox, - /https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted - 'wss:', // XXX always accept wss: ??? + /https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:', + ///https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted + //'wss:', // XXX always accept wss: ??? ], 'img-src': ["'self'", 'data:', 'blob:', $outer], 'media-src': ['blob:'],