infra
/
cryptpad
2
1
Fork 0
Code Issues Pull Requests Projects Releases 1 Activity

more WIP checkup

Browse Source
pull/1/head
ansuz 3 years ago
parent d736e22c3b
commit f2ead5b588
2 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File

9
lib/defaults.js
Unescape Escape View File

@ -16,15 +16,15 @@ Default.commonCSP = function (domain, sandbox) {
* it is recommended that you configure these fields to match the * it is recommended that you configure these fields to match the
* domain which will serve your CryptPad instance. * domain which will serve your CryptPad instance.
*/ */
"child-src 'self' blob: " + domain + sandbox, "child-src " + domain, //'self' blob: " + domain + sandbox,
// IE/Edge // IE/Edge
"frame-src 'self' blob: " + domain + sandbox, "frame-src 'self' blob: " /*+ domain*/ + sandbox,
/* this allows connections over secure or insecure websockets /* this allows connections over secure or insecure websockets
if you are deploying to production, you'll probably want to remove if you are deploying to production, you'll probably want to remove
the ws://* directive, and change '*' to your domain the ws://* directive
*/ */
"connect-src 'self' ws: wss: blob: " + domain + sandbox, "connect-src 'self' ws: blob: " + domain + sandbox,
// data: is used by codemirror // data: is used by codemirror
"img-src 'self' data: blob:" + domain, "img-src 'self' data: blob:" + domain,
@ -32,6 +32,7 @@ Default.commonCSP = function (domain, sandbox) {
// for accounts.cryptpad.fr authentication and cross-domain iframe sandbox // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
"frame-ancestors *", "frame-ancestors *",
"worker-src 'self'" + domain + sandbox,
"" ""
]; ];
}; };

9
www/checkup/main.js
Unescape Escape View File

@ -993,8 +993,8 @@ define([
'blob:', 'blob:',
$outer, $outer,
$sandbox, $sandbox,
/https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted /https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:',
'wss:', // XXX always accept wss: ??? ///https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted
], ],
'img-src': ["'self'", 'data:', 'blob:', $outer], 'img-src': ["'self'", 'data:', 'blob:', $outer],
@ -1030,8 +1030,9 @@ define([
'blob:', 'blob:',
$outer, $outer,
$sandbox, $sandbox,
/https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted /https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:',
'wss:', // XXX always accept wss: ??? ///https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted
//'wss:', // XXX always accept wss: ???
], ],
'img-src': ["'self'", 'data:', 'blob:', $outer], 'img-src': ["'self'", 'data:', 'blob:', $outer],
'media-src': ['blob:'], 'media-src': ['blob:'],

Write Preview
Loading…
Cancel
Save