dnrops
/
cryptpad
mirror of https://github.com/xwiki-labs/cryptpad
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

WIP update recommended production CSP values

This commit is contained in:
ansuz 2022-02-10 17:11:17 +05:30
parent 383684d339
commit 0f46869217
2 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
docs/example.nginx.conf
View File

@ -63,12 +63,8 @@ server {
# Opt out of Google's FLoC Network
add_header Permissions-Policy interest-cohort=();
set $coop '';
#if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
# Enable SharedArrayBuffer in Firefox (for .xlsx export)
add_header Cross-Origin-Resource-Policy cross-origin;
add_header Cross-Origin-Opener-Policy $coop;
add_header Cross-Origin-Embedder-Policy require-corp;
# Insert the path to your CryptPad repository root here
@ -87,23 +83,23 @@ server {
add_header Cache-Control $cacheControl;
# CSS can be dynamically set inline, loaded from the same domain, or from $main_domain
set $styleSrc "'unsafe-inline' 'self' ${main_domain}";
set $styleSrc "'unsafe-inline' 'self' https://${main_domain}";
# connect-src restricts URLs which can be loaded using script interfaces
set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain} https://${sandbox_domain}";
set $connectSrc "'self' https://${main_domain} https://${api_domain} blob: wss://${api_domain} https://${files_domain} https://${sandbox_domain}";
# fonts can be loaded from data-URLs or the main domain
set $fontSrc "'self' data: ${main_domain}";
set $fontSrc "'self' data: https://${main_domain}";
# images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking
set $imgSrc "'self' data: blob: ${main_domain} ${sandbox_domain}";
set $imgSrc "'self' data: blob: https://${main_domain}";
# frame-src specifies valid sources for nested browsing contexts.
# this prevents loading any iframes from anywhere other than the sandbox domain
set $frameSrc "'self' ${sandbox_domain} blob:";
set $frameSrc "'self' https://${sandbox_domain} blob:";
# specifies valid sources for loading media using video or audio
set $mediaSrc "'self' data: blob: ${main_domain} ${sandbox_domain}";
set $mediaSrc "blob:";
# defines valid sources for webworkers and nested browser contexts
# deprecated in favour of worker-src and frame-src
@ -111,10 +107,10 @@ server {
# specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
# supercedes child-src but is unfortunately not yet universally supported.
set $workerSrc "https://${main_domain}";
set $workerSrc "'self'";
# script-src specifies valid sources for javascript, including inline handlers
set $scriptSrc "'self' resource: ${main_domain}";
set $scriptSrc "'self' resource: https://${main_domain}";
set $unsafe 0;
# the following assets are loaded via the sandbox domain
@ -132,7 +128,7 @@ server {
# privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
if ($unsafe) {
set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: ${main_domain}";
set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
}
# Finally, set all the rules you composed above.

4
www/checkup/main.js
View File

@ -930,6 +930,8 @@ define([
$outer,
$sandbox,
/https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:',
// XXX https://$files_domain
// XXX wss://$api_domain
],
'img-src': ["'self'", 'data:', 'blob:', $outer],
@ -966,6 +968,8 @@ define([
$outer,
$sandbox,
/https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:',
// XXX https://$files_domain
// XXX wss://$api_domain
],
'img-src': ["'self'", 'data:', 'blob:', $outer],
'media-src': ['blob:'],