From fa8e901f541fb247584a1ac9d7db53828bb8f580 Mon Sep 17 00:00:00 2001 From: ansuz Date: Fri, 18 Feb 2022 13:59:00 +0530 Subject: [PATCH] drop support for 'config.contentSecurity' --- server.js | 26 +------------------------- 1 file changed, 1 insertion(+), 25 deletions(-) diff --git a/server.js b/server.js index 41b0b016d..a08a7e5c3 100644 --- a/server.js +++ b/server.js @@ -69,33 +69,9 @@ var getHeaders = function (Env, type) { headers = Default.httpHeaders(Env); } - // next define the base Content Security Policy (CSP) headers - if (typeof(config.contentSecurity) === 'string') { // XXX deprecate this??? - headers['Content-Security-Policy'] = config.contentSecurity; - if (!/;$/.test(headers['Content-Security-Policy'])) { headers['Content-Security-Policy'] += ';' } - if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) { - // backward compat for those who do not merge the new version of the config - // when updating. This prevents endless spinner if someone clicks donate. - // It also fixes the cross-domain iframe. - headers['Content-Security-Policy'] += "frame-ancestors *;"; - } - } else { - // use the default CSP headers constructed with your domain - headers['Content-Security-Policy'] = Default.contentSecurity(Env); - } - - //const padHeaders = Util.clone(headers); - if (type === 'office') { - if (typeof(config.padContentSecurity) === 'string') { - headers['Content-Security-Policy'] = config.padContentSecurity; // XXX drop support for this - } else { - headers['Content-Security-Policy'] = Default.padContentSecurity(Env); - } - } -/* headers['Content-Security-Policy'] = type === 'office'? Default.padContentSecurity(Env): - Default.contentSecurity(Env);*/ + Default.contentSecurity(Env); if (Env.NO_SANDBOX) { // handles correct configuration for local development // https://stackoverflow.com/questions/11531121/add-duplicate-http-response-headers-in-nodejs