WIP removing defaults from the example config file
This commit is contained in:
parent
08941fa85b
commit
294a444603
3 changed files with 71 additions and 52 deletions
|
@ -16,37 +16,7 @@ var _domain = 'http://localhost:3000/';
|
||||||
// requiring admins to preserve it is unnecessarily confusing
|
// requiring admins to preserve it is unnecessarily confusing
|
||||||
var domain = ' ' + _domain;
|
var domain = ' ' + _domain;
|
||||||
|
|
||||||
// Content-Security-Policy
|
var Default = require("../lib/defaults");
|
||||||
var baseCSP = [
|
|
||||||
"default-src 'none'",
|
|
||||||
"style-src 'unsafe-inline' 'self' " + domain,
|
|
||||||
"font-src 'self' data:" + domain,
|
|
||||||
|
|
||||||
/* child-src is used to restrict iframes to a set of allowed domains.
|
|
||||||
* connect-src is used to restrict what domains can connect to the websocket.
|
|
||||||
*
|
|
||||||
* it is recommended that you configure these fields to match the
|
|
||||||
* domain which will serve your CryptPad instance.
|
|
||||||
*/
|
|
||||||
"child-src blob: *",
|
|
||||||
// IE/Edge
|
|
||||||
"frame-src blob: *",
|
|
||||||
|
|
||||||
/* this allows connections over secure or insecure websockets
|
|
||||||
if you are deploying to production, you'll probably want to remove
|
|
||||||
the ws://* directive, and change '*' to your domain
|
|
||||||
*/
|
|
||||||
"connect-src 'self' ws: wss: blob:" + domain,
|
|
||||||
|
|
||||||
// data: is used by codemirror
|
|
||||||
"img-src 'self' data: blob:" + domain,
|
|
||||||
"media-src * blob:",
|
|
||||||
|
|
||||||
// for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
|
|
||||||
"frame-ancestors *",
|
|
||||||
""
|
|
||||||
];
|
|
||||||
|
|
||||||
|
|
||||||
module.exports = {
|
module.exports = {
|
||||||
/* =====================
|
/* =====================
|
||||||
|
@ -113,34 +83,18 @@ module.exports = {
|
||||||
* These settings may vary widely depending on your needs
|
* These settings may vary widely depending on your needs
|
||||||
* Examples are provided below
|
* Examples are provided below
|
||||||
*/
|
*/
|
||||||
httpHeaders: {
|
httpHeaders: Default.httpHeaders(),
|
||||||
"X-XSS-Protection": "1; mode=block",
|
|
||||||
"X-Content-Type-Options": "nosniff",
|
|
||||||
"Access-Control-Allow-Origin": "*"
|
|
||||||
},
|
|
||||||
|
|
||||||
contentSecurity: baseCSP.join('; ') +
|
contentSecurity: Default.contentSecurity(domain),
|
||||||
"script-src 'self'" + domain,
|
|
||||||
|
|
||||||
// CKEditor and OnlyOffice require significantly more lax content security policy in order to function.
|
// CKEditor and OnlyOffice require significantly more lax content security policy in order to function.
|
||||||
padContentSecurity: baseCSP.join('; ') +
|
padContentSecurity: Default.padContentSecurity(domain),
|
||||||
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
|
|
||||||
|
|
||||||
/* Main pages
|
/* Main pages
|
||||||
* add exceptions to the router so that we can access /privacy.html
|
* add exceptions to the router so that we can access /privacy.html
|
||||||
* and other odd pages
|
* and other odd pages
|
||||||
*/
|
*/
|
||||||
mainPages: [
|
mainPages: Default.mainPages(),
|
||||||
'index',
|
|
||||||
'privacy',
|
|
||||||
'terms',
|
|
||||||
'about',
|
|
||||||
'contact',
|
|
||||||
'what-is-cryptpad',
|
|
||||||
'features',
|
|
||||||
'faq',
|
|
||||||
'maintenance'
|
|
||||||
],
|
|
||||||
|
|
||||||
/* =====================
|
/* =====================
|
||||||
* Subscriptions
|
* Subscriptions
|
||||||
|
|
65
lib/defaults.js
Normal file
65
lib/defaults.js
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
var Default = module.exports;
|
||||||
|
|
||||||
|
Default.commonCSP = function (domain) {
|
||||||
|
// Content-Security-Policy
|
||||||
|
return [
|
||||||
|
"default-src 'none'",
|
||||||
|
"style-src 'unsafe-inline' 'self' " + domain,
|
||||||
|
"font-src 'self' data:" + domain,
|
||||||
|
|
||||||
|
/* child-src is used to restrict iframes to a set of allowed domains.
|
||||||
|
* connect-src is used to restrict what domains can connect to the websocket.
|
||||||
|
*
|
||||||
|
* it is recommended that you configure these fields to match the
|
||||||
|
* domain which will serve your CryptPad instance.
|
||||||
|
*/
|
||||||
|
"child-src blob: *",
|
||||||
|
// IE/Edge
|
||||||
|
"frame-src blob: *",
|
||||||
|
|
||||||
|
/* this allows connections over secure or insecure websockets
|
||||||
|
if you are deploying to production, you'll probably want to remove
|
||||||
|
the ws://* directive, and change '*' to your domain
|
||||||
|
*/
|
||||||
|
"connect-src 'self' ws: wss: blob:" + domain,
|
||||||
|
|
||||||
|
// data: is used by codemirror
|
||||||
|
"img-src 'self' data: blob:" + domain,
|
||||||
|
"media-src * blob:",
|
||||||
|
|
||||||
|
// for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
|
||||||
|
"frame-ancestors *",
|
||||||
|
""
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
Default.contentSecurity = function (domain) {
|
||||||
|
return Default.commonCSP(domain).join('; ') + "script-src 'self'" + domain;
|
||||||
|
};
|
||||||
|
|
||||||
|
Default.padContentSecurity = function (domain) {
|
||||||
|
return Default.commonCSP(domain).join('; ') + "script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain;
|
||||||
|
};
|
||||||
|
|
||||||
|
Default.httpHeaders = function () {
|
||||||
|
return {
|
||||||
|
"X-XSS-Protection": "1; mode=block",
|
||||||
|
"X-Content-Type-Options": "nosniff",
|
||||||
|
"Access-Control-Allow-Origin": "*"
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
Default.mainPages = function () {
|
||||||
|
return [
|
||||||
|
'index',
|
||||||
|
'privacy',
|
||||||
|
'terms',
|
||||||
|
'about',
|
||||||
|
'contact',
|
||||||
|
'what-is-cryptpad',
|
||||||
|
'features',
|
||||||
|
'faq',
|
||||||
|
'maintenance'
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
/* jslint node: true */
|
/* jslint node: true */
|
||||||
"use strict";
|
"use strict";
|
||||||
var config;
|
var config;
|
||||||
var configPath = process.env.CRYPTPAD_CONFIG || "../config/config";
|
var configPath = process.env.CRYPTPAD_CONFIG || "../config/config.js";
|
||||||
try {
|
try {
|
||||||
config = require(configPath);
|
config = require(configPath);
|
||||||
if (config.adminEmail === 'i.did.not.read.my.config@cryptpad.fr') {
|
if (config.adminEmail === 'i.did.not.read.my.config@cryptpad.fr') {
|
||||||
|
|
Loading…
Reference in a new issue