blitzwing/cryptpad
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

somewhat stricter httpUnsafeOrigin validation

Browse source
This commit is contained in:
ansuz 2021-06-15 03:52:12 +05:30
parent dc091b81c7
commit 942a136886
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
server.js
View file

@ -24,8 +24,8 @@ var fancyURL = function (domain, path) {
};
(function () {
// you absolutely must provide an 'httpUnsafeOrigin'
if (typeof(Env.httpUnsafeOrigin) !== 'string') {
// you absolutely must provide an 'httpUnsafeOrigin' (a truthy string)
if (!Env.httpUnsafeOrigin || typeof(Env.httpUnsafeOrigin) !== 'string') {
throw new Error("No 'httpUnsafeOrigin' provided");
}
@ -66,7 +66,7 @@ var setHeaders = (function () {
}
// next define the base Content Security Policy (CSP) headers
if (typeof(config.contentSecurity) === 'string') { // XXX deprecate this
if (typeof(config.contentSecurity) === 'string') {
headers['Content-Security-Policy'] = config.contentSecurity;
if (!/;$/.test(headers['Content-Security-Policy'])) { headers['Content-Security-Policy'] += ';' }
if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) {