Merge remote-tracking branch 'origin/4.15-candidate' into 4.15-candidate
This commit is contained in:
commit
312d030bef
3 changed files with 6 additions and 3 deletions
|
@ -5,6 +5,7 @@ Default.commonCSP = function (Env) {
|
||||||
var sandbox = Env.httpSafeOrigin;
|
var sandbox = Env.httpSafeOrigin;
|
||||||
sandbox = (sandbox && sandbox !== domain? ' ' + sandbox: '');
|
sandbox = (sandbox && sandbox !== domain? ' ' + sandbox: '');
|
||||||
// Content-Security-Policy
|
// Content-Security-Policy
|
||||||
|
var accounts_api = Env.accounts_api? ' ' + Env.accounts_api: '';
|
||||||
|
|
||||||
return [
|
return [
|
||||||
"default-src 'none'",
|
"default-src 'none'",
|
||||||
|
@ -25,7 +26,7 @@ Default.commonCSP = function (Env) {
|
||||||
if you are deploying to production, you'll probably want to remove
|
if you are deploying to production, you'll probably want to remove
|
||||||
the ws://* directive
|
the ws://* directive
|
||||||
*/
|
*/
|
||||||
"connect-src 'self' blob: " + (/^https:/.test(domain)? 'wss:': domain.replace('http://', 'ws://')) + ' ' + domain + sandbox,
|
"connect-src 'self' blob: " + (/^https:/.test(domain)? 'wss:': domain.replace('http://', 'ws://')) + ' ' + domain + sandbox + accounts_api,
|
||||||
|
|
||||||
// data: is used by codemirror
|
// data: is used by codemirror
|
||||||
"img-src 'self' data: blob:" + domain,
|
"img-src 'self' data: blob:" + domain,
|
||||||
|
|
|
@ -73,6 +73,7 @@ module.exports.create = function (config) {
|
||||||
fileHost: config.fileHost || undefined,
|
fileHost: config.fileHost || undefined,
|
||||||
NO_SANDBOX: NO_SANDBOX,
|
NO_SANDBOX: NO_SANDBOX,
|
||||||
httpSafePort: httpSafePort,
|
httpSafePort: httpSafePort,
|
||||||
|
accounts_api: config.accounts_api || undefined, // XXX
|
||||||
|
|
||||||
shouldUpdateNode: !isRecentVersion(),
|
shouldUpdateNode: !isRecentVersion(),
|
||||||
|
|
||||||
|
|
|
@ -75,6 +75,7 @@ define([
|
||||||
var trimmedSafe = trimSlashes(ApiConfig.httpSafeOrigin);
|
var trimmedSafe = trimSlashes(ApiConfig.httpSafeOrigin);
|
||||||
var trimmedUnsafe = trimSlashes(ApiConfig.httpUnsafeOrigin);
|
var trimmedUnsafe = trimSlashes(ApiConfig.httpUnsafeOrigin);
|
||||||
var fileHost = ApiConfig.fileHost;
|
var fileHost = ApiConfig.fileHost;
|
||||||
|
var accounts_api = ApiConfig.accounts_api || AppConfig.accounts_api || undefined;
|
||||||
|
|
||||||
var getAPIPlaceholderPath = function (relative) {
|
var getAPIPlaceholderPath = function (relative) {
|
||||||
var absolute;
|
var absolute;
|
||||||
|
@ -986,7 +987,7 @@ define([
|
||||||
API_URL.origin,
|
API_URL.origin,
|
||||||
isHTTPS(fileHost)? fileHost: undefined,
|
isHTTPS(fileHost)? fileHost: undefined,
|
||||||
// support for cryptpad.fr configuration
|
// support for cryptpad.fr configuration
|
||||||
AppConfig.accounts_api,
|
accounts_api,
|
||||||
![trimmedUnsafe, trimmedSafe].includes(ACCOUNTS_URL)? ACCOUNTS_URL: undefined,
|
![trimmedUnsafe, trimmedSafe].includes(ACCOUNTS_URL)? ACCOUNTS_URL: undefined,
|
||||||
],
|
],
|
||||||
|
|
||||||
|
@ -1025,7 +1026,7 @@ define([
|
||||||
$sandbox,
|
$sandbox,
|
||||||
API_URL.origin,
|
API_URL.origin,
|
||||||
isHTTPS(fileHost)? fileHost: undefined,
|
isHTTPS(fileHost)? fileHost: undefined,
|
||||||
AppConfig.accounts_api,
|
accounts_api,
|
||||||
![trimmedUnsafe, trimmedSafe].includes(ACCOUNTS_URL)? ACCOUNTS_URL: undefined,
|
![trimmedUnsafe, trimmedSafe].includes(ACCOUNTS_URL)? ACCOUNTS_URL: undefined,
|
||||||
],
|
],
|
||||||
'img-src': ["'self'", 'data:', 'blob:', $outer],
|
'img-src': ["'self'", 'data:', 'blob:', $outer],
|
||||||
|
|
Loading…
Reference in a new issue