From f2ead5b588cd6114ee64db181eccd1012f96a4c8 Mon Sep 17 00:00:00 2001
From: ansuz <git@ansuz.xyz>
Date: Thu, 10 Feb 2022 14:32:14 +0530
Subject: [PATCH] more WIP checkup

---
 lib/defaults.js     | 9 +++++----
 www/checkup/main.js | 9 +++++----
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/lib/defaults.js b/lib/defaults.js
index f43253ccb..a4a2a847e 100644
--- a/lib/defaults.js
+++ b/lib/defaults.js
@@ -16,15 +16,15 @@ Default.commonCSP = function (domain, sandbox) {
          *  it is recommended that you configure these fields to match the
          *  domain which will serve your CryptPad instance.
          */
-        "child-src 'self' blob: " + domain + sandbox,
+        "child-src " + domain, //'self' blob: " + domain + sandbox,
         // IE/Edge
-        "frame-src 'self' blob: " + domain + sandbox,
+        "frame-src 'self' blob: " /*+ domain*/ + sandbox,
 
         /*  this allows connections over secure or insecure websockets
             if you are deploying to production, you'll probably want to remove
-            the ws://* directive, and change '*' to your domain
+            the ws://* directive
          */
-        "connect-src 'self' ws: wss: blob: " + domain + sandbox,
+        "connect-src 'self' ws: blob: " + domain + sandbox,
 
         // data: is used by codemirror
         "img-src 'self' data: blob:" + domain,
@@ -32,6 +32,7 @@ Default.commonCSP = function (domain, sandbox) {
 
         // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
         "frame-ancestors *",
+        "worker-src 'self'" + domain + sandbox,
         ""
     ];
 };
diff --git a/www/checkup/main.js b/www/checkup/main.js
index 6e7346313..9cc645d4d 100644
--- a/www/checkup/main.js
+++ b/www/checkup/main.js
@@ -993,8 +993,8 @@ define([
                     'blob:',
                     $outer,
                     $sandbox,
-                    /https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted
-                    'wss:', // XXX always accept wss: ???
+                    /https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:',
+                    ///https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted
                 ],
 
                 'img-src': ["'self'", 'data:', 'blob:', $outer],
@@ -1030,8 +1030,9 @@ define([
                     'blob:',
                     $outer,
                     $sandbox,
-                    /https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted
-                    'wss:', // XXX always accept wss: ???
+                    /https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:',
+                    ///https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted
+                    //'wss:', // XXX always accept wss: ???
                 ],
                 'img-src': ["'self'", 'data:', 'blob:', $outer],
                 'media-src': ['blob:'],