web/cryptpad
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add frame-ancestors to allow remote auth

Browse Source
This commit is contained in:
Caleb James DeLisle 2017-06-07 09:51:10 +02:00
parent 811d031ffd
commit aa9aaefdea
2 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
config.example.js
View File

@ -45,6 +45,9 @@ module.exports = {
// data: is used by codemirror // data: is used by codemirror
"img-src 'self' data: blob:", "img-src 'self' data: blob:",
// for accounts.cryptpad.fr authentication
"frame-ancestors 'self' accounts.cryptpad.fr",
].join('; '), ].join('; '),
// CKEditor requires significantly more lax content security policy in order to function. // CKEditor requires significantly more lax content security policy in order to function.

5
server.js
View File

@ -34,6 +34,11 @@ var setHeaders = (function () {
const headers = clone(config.httpHeaders); const headers = clone(config.httpHeaders);
if (config.contentSecurity) { if (config.contentSecurity) {
headers['Content-Security-Policy'] = clone(config.contentSecurity); headers['Content-Security-Policy'] = clone(config.contentSecurity);
if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) {
// backward compat for those who do not merge the new version of the config
// when updating. This prevents endless spinner if someone clicks donate.
headers['Content-Security-Policy'] += "frame-ancestors 'self' accounts.cryptpad.fr;";
}
} }
const padHeaders = clone(headers); const padHeaders = clone(headers);
if (config.padContentSecurity) { if (config.padContentSecurity) {