cryptpad/lib/defaults.js

var Default = module.exports;

Default.commonCSP = function (Env) {
    var domain = ' ' + Env.httpUnsafeOrigin;
    var sandbox = Env.httpSafeOrigin;
    sandbox = (sandbox && sandbox !== domain? ' ' + sandbox: '');
    // Content-Security-Policy
    var accounts_api = Env.accounts_api? ' ' + Env.accounts_api: '';

    return [
        "default-src 'none'",
        "style-src 'unsafe-inline' 'self' " + domain,
        "font-src 'self' data:" + domain,

        /*  child-src is used to restrict iframes to a set of allowed domains.
         *  connect-src is used to restrict what domains can connect to the websocket.
         *
         *  it is recommended that you configure these fields to match the
         *  domain which will serve your CryptPad instance.
         */
        "child-src " + domain,
        // IE/Edge
        "frame-src 'self' blob: " + sandbox,

        /*  this allows connections over secure or insecure websockets
            if you are deploying to production, you'll probably want to remove
            the ws://* directive
         */
        "connect-src 'self' localhost blob: " + (/^https:/.test(domain)? 'wss:': domain.replace('http://', 'ws://')) + ' ' + domain + sandbox + accounts_api,

        // data: is used by codemirror
        "img-src 'self' data: blob:" + domain,
        "media-src blob:",

        // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
        Env.enableEmbedding?  `frame-ancestors 'self' ${Env.protocol} vector:`: `frame-ancestors 'self' ${domain}`,
        "worker-src 'self'",
        ""
    ];
};

Default.contentSecurity = function (Env) {
    return (Default.commonCSP(Env).join('; ') + "script-src 'self' resource: " + Env.httpUnsafeOrigin).replace(/\s+/g, ' ');
};

Default.padContentSecurity = function (Env) {
    return (Default.commonCSP(Env).join('; ') + "script-src 'self' 'unsafe-eval' 'unsafe-inline' resource: " + Env.httpUnsafeOrigin).replace(/\s+/g, ' ');
};

Default.diagramContentSecurity = function (Env) {
    return (Default.commonCSP(Env).join('; ') + "script-src 'self' 'sha256-6zAB96lsBZREqf0sT44BhH1T69sm7HrN34rpMOcWbNo=' 'sha256-6g514VrT/cZFZltSaKxIVNFF46+MFaTSDTPB8WfYK+c=' resource: " + Env.httpUnsafeOrigin).replace(/\s+/g, ' ');
};

Default.httpHeaders = function (Env) {
    return {
        "X-XSS-Protection": "1; mode=block",
        "X-Content-Type-Options": "nosniff",
        "Access-Control-Allow-Origin": Env.enableEmbedding? '*': Env.permittedEmbedders,
        "Permissions-policy":"interest-cohort=()"
    };
};

Default.mainPages = function () {
    return [
        'index',
        'contact',
        'features',
        'maintenance'
    ];
};

/*  The recommmended minimum Node.js version
 *  ideally managed using NVM and not your system's
 *  package manager, which usually provides a very outdated version
 */
Default.recommendedVersion = [16,14,2];

/*  By default the CryptPad server will run scheduled tasks every five minutes
 *  If you want to run scheduled tasks in a separate process (like a crontab)
 *  you can disable this behaviour by setting the following value to true
 */
     //disableIntegratedTasks: false,

    /*  CryptPad's file storage adaptor closes unused files after a configurable
     *  number of milliseconds (default 30000 (30 seconds))
     */
//    channelExpirationMs: 30000,

    /*  CryptPad's file storage adaptor is limited by the number of open files.
     *  When the adaptor reaches openFileLimit, it will clean up older files
     */
    //openFileLimit: 2048,