web/cryptpad
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

make http headers configurable, update default conf

Browse Source
This commit is contained in:
ansuz 2016-10-18 11:48:29 +02:00
parent 9a733bb360
commit a2e5c96115
2 changed files with 41 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
config.js.dist
View File

@ -8,6 +8,31 @@ module.exports = {
httpAddress: '::', httpAddress: '::',
// the port on which your httpd will listen // the port on which your httpd will listen
/* Cryptpad can be configured to send customized HTTP Headers
* These settings may vary widely depending on your needs
* Examples are provided below
*/
/*
httpHeaders: {
"Content-Security-Policy": [
"default-serc 'none'",
"style-src 'unsafe-inline' 'self'",
"script-src 'self' 'unsafe-eval' 'unsafe-inline'",
"child-src 'self' cryptpad.fr *.cryptpad.fr",
"font-src 'self'",
"connect-src 'self' wss://cryptpad.fr",
// data: is used by codemirror, (insecure remote) images are included by
// users of the wysiwyg who embed photos in their pads
"img-src data: *",
].join('; '),
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
// 'X-Frame-Options': 'SAMEORIGIN',
},*/
httpPort: 3000, httpPort: 3000,
/* your server's websocket url is configurable /* your server's websocket url is configurable

41
server.js
View File

@ -19,33 +19,20 @@ var app = Express();
var httpsOpts; var httpsOpts;
app.use(function (req, res, next) { var setHeaders = (function () {
var host = req.headers.host; if (typeof(config.httpHeaders) !== 'object') { return function () {}; }
if (config.websocketPort) {
host = host.replace(/\:[0-9]+/, ':' + config.websocketPort); var headers = JSON.parse(JSON.stringify(config.httpHeaders));
if (Object.keys(headers).length) {
return function (res) {
for (header in headers) { res.setHeader(header, headers[header]); }
};
} }
var proto = (httpsOpts || config.useSecureWebsockets) ? 'wss://' : 'ws://'; return function () {};
res.setHeader('Content-Security-Policy', [ }());
"default-src 'none'",
"style-src 'unsafe-inline' 'self'",
// No way to load ckeditor without unsafe-eval and unsafe-inline
// https://dev.ckeditor.com/ticket/8584
"script-src 'self' 'unsafe-eval' 'unsafe-inline'",
"connect-src 'self' " + proto + host,
"child-src 'self'",
"font-src 'self'",
// data: is used by codemirror, (insecure remote) images are included by people making
// documents in ckeditor.
"img-src data: *"
].join('; '));
res.setHeader('X-XSS-Protection', '1; mode=block');
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'SAMEORIGIN');
app.use(function (req, res, next) {
setHeaders(res);
next(); next();
}); });
@ -56,6 +43,10 @@ Fs.exists(__dirname + "/customize", function (e) {
console.log("Cryptpad is customizable, see customize.dist/readme.md for details"); console.log("Cryptpad is customizable, see customize.dist/readme.md for details");
}); });
// FIXME I think this is a regression caused by a recent PR
// correct this hack without breaking the contributor's intended behaviour.
app.get(/\/(privacy|index|terms)\.html/, Express.static(__dirname + '/customize.dist'));
app.use("/customize", Express.static(__dirname + '/customize')); app.use("/customize", Express.static(__dirname + '/customize'));
app.use("/customize", Express.static(__dirname + '/customize.dist')); app.use("/customize", Express.static(__dirname + '/customize.dist'));
app.use(/^\/[^\/]*$/, Express.static('customize')); app.use(/^\/[^\/]*$/, Express.static('customize'));