blitzwing/cryptpad
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

implement proper support for forbidding remote media-tag inclusion

Browse source 
...and test that the basic headers are correctly set on the checkup page
This commit is contained in:
ansuz 2022-02-18 16:09:02 +05:30
parent fa8e901f54
commit 0917b45035
4 changed files with 22 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/defaults.js
View file

@ -50,7 +50,7 @@ Default.httpHeaders = function (Env) {
return {
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Origin": Env.disableEmbedding? '': "*",
"Access-Control-Allow-Origin": Env.disableEmbedding? Env.permittedEmbedders: "*",
"Permissions-policy":"interest-cohort=()"
};
};

3
lib/env.js
View file

@ -28,6 +28,8 @@ module.exports.create = function (config) {
httpUnsafeOrigin: canonicalizeOrigin(config.httpUnsafeOrigin),
httpSafeOrigin: canonicalizeOrigin(config.httpSafeOrigin),
permittedEmbedders: typeof(config.permittedEmbedders) === 'string'? config.permittedEmbedders: canonicalizeOrigin(config.httpSafeOrigin),
removeDonateButton: config.removeDonateButton,
httpPort: isValidPort(config.httpPort)? config.httpPort: 3000,
httpAddress: typeof(config.httpAddress) === 'string'? config.httpAddress: '127.0.0.1',
@ -68,7 +70,6 @@ module.exports.create = function (config) {
archiveRetentionTime: config.archiveRetentionTime,
accountRetentionTime: config.accountRetentionTime,
// TODO implement mutability
adminEmail: config.adminEmail,
supportMailbox: config.supportMailboxPublicKey,

4
server.js
View file

@ -126,7 +126,7 @@ app.use('/blob', function (req, res, next) {
if (req.method === 'HEAD') {
Express.static(Path.join(__dirname, Env.paths.blob), {
setHeaders: function (res, path, stat) {
res.set('Access-Control-Allow-Origin', '*');
res.set('Access-Control-Allow-Origin', Env.disableEmbedding? Env.permittedEmbedders: '*');
res.set('Access-Control-Allow-Headers', 'Content-Length');
res.set('Access-Control-Expose-Headers', 'Content-Length');
}
@ -138,7 +138,7 @@ app.use('/blob', function (req, res, next) {
app.use(function (req, res, next) {
if (req.method === 'OPTIONS' && /\/blob\//.test(req.url)) {
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Origin', Env.disableEmbedding? Env.permittedEmbedders: '*');
res.setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS');
res.setHeader('Access-Control-Allow-Headers', 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range');
res.setHeader('Access-Control-Max-Age', 1728000);

26
www/checkup/main.js
View file

@ -1026,23 +1026,31 @@ define([
assert(function (cb, msg) {
var header = 'Access-Control-Allow-Origin';
msg.appendChild(h('span', [ // XXX update text to indicate that the value doesn't match their preference
'Assets must be served with an ',
code(header),
' header with a value of ',
code("'*'"),
' if you wish to support embedding of encrypted media on third party websites.',
]));
Tools.common_xhr('/', function (xhr) {
var raw = xhr.getResponseHeader(header);
if (ApiConfig.disableEmbedding) {
if ([null, ''].includes(raw)) { return void cb(true); }
if (raw === trimmedSafe) { return void cb(true); }
else {
return void cb(raw === '*' || raw);
msg.appendChild(h('span', [
'This instance has been configured to disable support for embedding assets in third-party websites. ',
'In order for this setting to be effective while still permitting encrypted media to load locally ',
'the ',
code(header),
' should only match trusted domains.',
]));
return void cb(raw);
}
}
msg.appendChild(h('span', [
'Assets must be served with an ',
code(header),
' header with a value of ',
code("'*'"),
' if you wish to support embedding of encrypted media on third party websites.',
]));
cb(raw === "*" || raw);
});
});