|
|
@ -16,15 +16,15 @@ Default.commonCSP = function (domain, sandbox) {
|
|
|
|
* it is recommended that you configure these fields to match the
|
|
|
|
* it is recommended that you configure these fields to match the
|
|
|
|
* domain which will serve your CryptPad instance.
|
|
|
|
* domain which will serve your CryptPad instance.
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
"child-src 'self' blob: " + domain + sandbox,
|
|
|
|
"child-src " + domain, //'self' blob: " + domain + sandbox,
|
|
|
|
// IE/Edge
|
|
|
|
// IE/Edge
|
|
|
|
"frame-src 'self' blob: " + domain + sandbox,
|
|
|
|
"frame-src 'self' blob: " /*+ domain*/ + sandbox,
|
|
|
|
|
|
|
|
|
|
|
|
/* this allows connections over secure or insecure websockets
|
|
|
|
/* this allows connections over secure or insecure websockets
|
|
|
|
if you are deploying to production, you'll probably want to remove
|
|
|
|
if you are deploying to production, you'll probably want to remove
|
|
|
|
the ws://* directive, and change '*' to your domain
|
|
|
|
the ws://* directive
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
"connect-src 'self' ws: wss: blob: " + domain + sandbox,
|
|
|
|
"connect-src 'self' ws: blob: " + domain + sandbox,
|
|
|
|
|
|
|
|
|
|
|
|
// data: is used by codemirror
|
|
|
|
// data: is used by codemirror
|
|
|
|
"img-src 'self' data: blob:" + domain,
|
|
|
|
"img-src 'self' data: blob:" + domain,
|
|
|
@ -32,6 +32,7 @@ Default.commonCSP = function (domain, sandbox) {
|
|
|
|
|
|
|
|
|
|
|
|
// for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
|
|
|
|
// for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
|
|
|
|
"frame-ancestors *",
|
|
|
|
"frame-ancestors *",
|
|
|
|
|
|
|
|
"worker-src 'self'" + domain + sandbox,
|
|
|
|
""
|
|
|
|
""
|
|
|
|
];
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|