Update CSP for OnlyOffice apps

2019-01-28 12:18:18 +01:00
parent 9ca7d504d2
commit d5f98c916b
2 changed files with 34 additions and 1 deletions
--- a/config.example.js
+++ b/config.example.js
@@ -88,6 +88,28 @@ module.exports = {
        "img-src * blob:",
    ].join('; '),

+    // OnlyOffice requires even more lax content security policy in order to function.
+    ooContentSecurity: [
+        "default-src 'none'",
+        "style-src 'unsafe-inline' 'self'" + domain,
+        // Unsafe inline, unsafe-eval are needed for ckeditor :(
+        "script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
+        "font-src 'self'" + domain,
+
+        /*  See above under 'contentSecurity' as to how these values should be
+         *  configured for best effect.
+         */
+        "child-src *",
+        // IE/Edge
+        "frame-src *",
+
+        // see the comment above in the 'contentSecurity' section
+         "connect-src 'self' blob: ws: wss:" + domain,
+
+        // (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
+        "img-src * blob: data:",
+    ].join('; '),
+
    httpPort: 3000,

    // This is for allowing the cross-domain iframe to function when developing