Fix CSP headers mismatch between node and Nginx

2023-08-17 16:10:39 +02:00 · 2023-08-17 16:10:39 +02:00 · 867efea83b
commit 867efea83b
parent a3772cf92c
1 changed files with 13 additions and 12 deletions
--- a/lib/defaults.js
+++ b/lib/defaults.js
@ -1,16 +1,17 @@
 var Default = module.exports;

 Default.commonCSP = function (Env) {
-    var domain = ' ' + Env.httpUnsafeOrigin;
+    var domain = Env.httpUnsafeOrigin;
    var sandbox = Env.httpSafeOrigin;
-    sandbox = (sandbox && sandbox !== domain? ' ' + sandbox: '');
+    sandbox = (sandbox && sandbox !== domain ? sandbox : '');
    // Content-Security-Policy
-    var accounts_api = Env.accounts_api? ' ' + Env.accounts_api: '';
+    var accounts_api = Env.accounts_api || '';
+    var wsURL = domain.replace('https://', 'wss://').replace('http://', 'ws://');

    return [
-        "default-src 'none'",
-        "style-src 'unsafe-inline' 'self' " + domain,
-        "font-src 'self' data:" + domain,
+        `default-src 'none'`,
+        `style-src 'unsafe-inline' 'self' ${domain}`,
+        `font-src 'self' data: ${domain}`,

        /*  child-src is used to restrict iframes to a set of allowed domains.
         *  connect-src is used to restrict what domains can connect to the websocket.
@ -18,23 +19,23 @@ Default.commonCSP = function (Env) {
         *  it is recommended that you configure these fields to match the
         *  domain which will serve your CryptPad instance.
         */
-        "child-src " + domain,
+        `child-src ${domain}`,
        // IE/Edge
-        "frame-src 'self' blob: " + sandbox,
+        `frame-src 'self' blob: ${sandbox}`,

        /*  this allows connections over secure or insecure websockets
            if you are deploying to production, you'll probably want to remove
            the ws://* directive
         */
-        "connect-src 'self' localhost blob: " + (/^https:/.test(domain)? 'wss:': domain.replace('http://', 'ws://')) + ' ' + domain + sandbox + accounts_api,
+        `connect-src 'self' blob: ${domain} ${sandbox} ${accounts_api} ${wsURL}`,

        // data: is used by codemirror
-        "img-src 'self' data: blob:" + domain,
-        "media-src blob:",
+        `img-src 'self' data: blob: ${domain}`,
+        `media-src blob:`,

        // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
        Env.enableEmbedding?  `frame-ancestors 'self' ${Env.protocol} vector:`: `frame-ancestors 'self' ${domain}`,
-        "worker-src 'self'",
+        `worker-src 'self'`,
        ""
    ];
 };