Merge remote-tracking branch 'origin/4.15-candidate' into 4.15-candidate

2022-05-11 13:45:50 +01:00 · 2022-05-11 13:45:50 +01:00 · 312d030bef
commit 312d030bef
parent 74af6629e3 0be64ac958
3 changed files with 6 additions and 3 deletions
--- a/lib/defaults.js
+++ b/lib/defaults.js
@ -5,6 +5,7 @@ Default.commonCSP = function (Env) {
    var sandbox = Env.httpSafeOrigin;
    sandbox = (sandbox && sandbox !== domain? ' ' + sandbox: '');
    // Content-Security-Policy
    var accounts_api = Env.accounts_api? ' ' + Env.accounts_api: '';
    return [
        "default-src 'none'",
@ -25,7 +26,7 @@ Default.commonCSP = function (Env) {
            if you are deploying to production, you'll probably want to remove
            the ws://* directive
         */
-        "connect-src 'self' blob: " + (/^https:/.test(domain)? 'wss:': domain.replace('http://', 'ws://')) + ' ' + domain + sandbox,
+        "connect-src 'self' blob: " + (/^https:/.test(domain)? 'wss:': domain.replace('http://', 'ws://')) + ' ' + domain + sandbox + accounts_api,
        // data: is used by codemirror
        "img-src 'self' data: blob:" + domain,
--- a/lib/env.js
+++ b/lib/env.js
@ -73,6 +73,7 @@ module.exports.create = function (config) {
        fileHost: config.fileHost || undefined,
        NO_SANDBOX: NO_SANDBOX,
        httpSafePort: httpSafePort,
        accounts_api: config.accounts_api || undefined, // XXX
        shouldUpdateNode: !isRecentVersion(),
--- a/www/checkup/main.js
+++ b/www/checkup/main.js
@ -75,6 +75,7 @@ define([
    var trimmedSafe = trimSlashes(ApiConfig.httpSafeOrigin);
    var trimmedUnsafe = trimSlashes(ApiConfig.httpUnsafeOrigin);
    var fileHost = ApiConfig.fileHost;
    var accounts_api = ApiConfig.accounts_api || AppConfig.accounts_api || undefined;
    var getAPIPlaceholderPath = function (relative) {
        var absolute;
@ -986,7 +987,7 @@ define([
                    API_URL.origin,
                    isHTTPS(fileHost)? fileHost: undefined,
                    // support for cryptpad.fr configuration
-                    AppConfig.accounts_api,
+                    accounts_api,
                    ![trimmedUnsafe, trimmedSafe].includes(ACCOUNTS_URL)? ACCOUNTS_URL: undefined,
                ],
@ -1025,7 +1026,7 @@ define([
                    $sandbox,
                    API_URL.origin,
                    isHTTPS(fileHost)? fileHost: undefined,
-                    AppConfig.accounts_api,
+                    accounts_api,
                    ![trimmedUnsafe, trimmedSafe].includes(ACCOUNTS_URL)? ACCOUNTS_URL: undefined,
                ],
                'img-src': ["'self'", 'data:', 'blob:', $outer],