web/cryptpad
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use resources from the original origin in pad2

Browse Source
This commit is contained in:
Caleb James DeLisle
2017-08-21 18:38:07 +02:00
parent 4089803785
commit 4b70fc9f49
3 changed files with 23 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
config.example.js
View File

@@ -2,6 +2,7 @@
/* /*
globals module globals module
*/ */
var domain = ' http://localhost:3000/';
module.exports = { module.exports = {
// the address you want to bind to, :: means all ipv4 and ipv6 addresses // the address you want to bind to, :: means all ipv4 and ipv6 addresses
@@ -23,9 +24,9 @@ module.exports = {
contentSecurity: [ contentSecurity: [
"default-src 'none'", "default-src 'none'",
"style-src 'unsafe-inline' 'self'", "style-src 'unsafe-inline' 'self' " + domain,
"script-src 'self'", "script-src 'self'" + domain,
"font-src 'self' data:", "font-src 'self' data:" + domain,
/* child-src is used to restrict iframes to a set of allowed domains. /* child-src is used to restrict iframes to a set of allowed domains.
* connect-src is used to restrict what domains can connect to the websocket. * connect-src is used to restrict what domains can connect to the websocket.
@@ -33,7 +34,7 @@ module.exports = {
* it is recommended that you configure these fields to match the * it is recommended that you configure these fields to match the
* domain which will serve your CryptPad instance. * domain which will serve your CryptPad instance.
*/ */
"child-src 'self' blob: *", "child-src blob: *",
"media-src * blob:", "media-src * blob:",
@@ -41,10 +42,10 @@ module.exports = {
if you are deploying to production, you'll probably want to remove if you are deploying to production, you'll probably want to remove
the ws://* directive, and change '*' to your domain the ws://* directive, and change '*' to your domain
*/ */
"connect-src 'self' ws: wss: blob:", "connect-src 'self' ws: wss: blob:" + domain,
// data: is used by codemirror // data: is used by codemirror
"img-src 'self' data: blob:", "img-src 'self' data: blob:" + domain,
// for accounts.cryptpad.fr authentication and pad2 cross-domain iframe sandbox // for accounts.cryptpad.fr authentication and pad2 cross-domain iframe sandbox
"frame-ancestors *", "frame-ancestors *",
@@ -53,18 +54,18 @@ module.exports = {
// CKEditor requires significantly more lax content security policy in order to function. // CKEditor requires significantly more lax content security policy in order to function.
padContentSecurity: [ padContentSecurity: [
"default-src 'none'", "default-src 'none'",
"style-src 'unsafe-inline' 'self'", "style-src 'unsafe-inline' 'self'" + domain,
// Unsafe inline, unsafe-eval are needed for ckeditor :( // Unsafe inline, unsafe-eval are needed for ckeditor :(
"script-src 'self' 'unsafe-eval' 'unsafe-inline'", "script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
"font-src 'self'", "font-src 'self'" + domain,
/* See above under 'contentSecurity' as to how these values should be /* See above under 'contentSecurity' as to how these values should be
* configured for best effect. * configured for best effect.
*/ */
"child-src 'self' *", "child-src *",
// see the comment above in the 'contentSecurity' section // see the comment above in the 'contentSecurity' section
"connect-src 'self' ws: wss:", "connect-src 'self' ws: wss:" + domain,
// (insecure remote) images are included by users of the wysiwyg who embed photos in their pads // (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
"img-src * blob:", "img-src * blob:",

13
www/common/sframe-boot.js
View File

@@ -1,6 +1,16 @@
// Stage 0, this gets cached which means we can't change it. boot2-sframe.js is changable. // Stage 0, this gets cached which means we can't change it. boot2-sframe.js is changable.
// Note that this file is meant to be executed only inside of a sandbox iframe. // Note that this file is meant to be executed only inside of a sandbox iframe.
;(function () { ;(function () {
var req = JSON.parse(decodeURIComponent(window.location.hash.substring(1)));
if (req.cfg) { require.config(req.cfg); }
if (req.pfx) {
require.config({
onNodeCreated: function (node, config, module, path) {
node.setAttribute('src', req.pfx + node.getAttribute('src'));
}
});
}
if (req.req) { require(req.req, function () { }); }
window.addEventListener('message', function (msg) { window.addEventListener('message', function (msg) {
var data = JSON.parse(msg.data); var data = JSON.parse(msg.data);
if (data.q !== 'INIT') { return; } if (data.q !== 'INIT') { return; }
@@ -8,7 +18,4 @@ window.addEventListener('message', function (msg) {
if (data.content && data.content.requireConf) { require.config(data.content.requireConf); } if (data.content && data.content.requireConf) { require.config(data.content.requireConf); }
require(['/common/sframe-boot2.js'], function () { }); require(['/common/sframe-boot2.js'], function () { });
}); });
var req = JSON.parse(decodeURIComponent(window.location.hash.substring(1)));
if (req.cfg) { require.config(req.cfg); }
if (req.req) { require(req.req, function () { }); }
}()); }());

1
www/pad2/outer.js
View File

@@ -8,6 +8,7 @@ define([
var req = { var req = {
cfg: RequireConfig, cfg: RequireConfig,
req: [ '/common/loading.js' ], req: [ '/common/loading.js' ],
pfx: window.location.origin
}; };
$('#sbox-iframe').attr('src', $('#sbox-iframe').attr('src',
ApiConfig.httpSafeOrigin + '/pad2/inner.html?' + ApiConfig.requireConf.urlArgs + ApiConfig.httpSafeOrigin + '/pad2/inner.html?' + ApiConfig.requireConf.urlArgs +