WIP removing defaults from the example config file

2020-02-27 13:09:12 -05:00 · 2020-02-27 13:09:12 -05:00 · 294a444603
parent 08941fa85b
commit 294a444603
3 changed files with 71 additions and 52 deletions
--- a/config/config.example.js
+++ b/config/config.example.js
@ -16,37 +16,7 @@ var _domain = 'http://localhost:3000/';
 // requiring admins to preserve it is unnecessarily confusing
 var domain = ' ' + _domain;

-// Content-Security-Policy
-var baseCSP = [
-    "default-src 'none'",
-    "style-src 'unsafe-inline' 'self' " + domain,
-    "font-src 'self' data:" + domain,
-
-    /*  child-src is used to restrict iframes to a set of allowed domains.
-     *  connect-src is used to restrict what domains can connect to the websocket.
-     *
-     *  it is recommended that you configure these fields to match the
-     *  domain which will serve your CryptPad instance.
-     */
-    "child-src blob: *",
-    // IE/Edge
-    "frame-src blob: *",
-
-    /*  this allows connections over secure or insecure websockets
-        if you are deploying to production, you'll probably want to remove
-        the ws://* directive, and change '*' to your domain
-     */
-    "connect-src 'self' ws: wss: blob:" + domain,
-
-    // data: is used by codemirror
-    "img-src 'self' data: blob:" + domain,
-    "media-src * blob:",
-
-    // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
-    "frame-ancestors *",
-    ""
-];
-
+var Default = require("../lib/defaults");

 module.exports = {
    /* =====================
@ -113,34 +83,18 @@ module.exports = {
     *  These settings may vary widely depending on your needs
     *  Examples are provided below
     */
-    httpHeaders: {
-        "X-XSS-Protection": "1; mode=block",
-        "X-Content-Type-Options": "nosniff",
-        "Access-Control-Allow-Origin": "*"
-    },
+    httpHeaders: Default.httpHeaders(),

-    contentSecurity: baseCSP.join('; ') +
-        "script-src 'self'" + domain,
+    contentSecurity: Default.contentSecurity(domain),

    // CKEditor and OnlyOffice require significantly more lax content security policy in order to function.
-    padContentSecurity: baseCSP.join('; ') +
-        "script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
+    padContentSecurity: Default.padContentSecurity(domain),

    /*  Main pages
     *  add exceptions to the router so that we can access /privacy.html
     *  and other odd pages
     */
-    mainPages: [
-        'index',
-        'privacy',
-        'terms',
-        'about',
-        'contact',
-        'what-is-cryptpad',
-        'features',
-        'faq',
-        'maintenance'
-    ],
+    mainPages: Default.mainPages(),

    /* =====================
     *     Subscriptions
--- a/lib/defaults.js
+++ b/lib/defaults.js
@ -0,0 +1,65 @@
+var Default = module.exports;
+
+Default.commonCSP = function (domain) {
+    // Content-Security-Policy
+    return [
+        "default-src 'none'",
+        "style-src 'unsafe-inline' 'self' " + domain,
+        "font-src 'self' data:" + domain,
+
+        /*  child-src is used to restrict iframes to a set of allowed domains.
+         *  connect-src is used to restrict what domains can connect to the websocket.
+         *
+         *  it is recommended that you configure these fields to match the
+         *  domain which will serve your CryptPad instance.
+         */
+        "child-src blob: *",
+        // IE/Edge
+        "frame-src blob: *",
+
+        /*  this allows connections over secure or insecure websockets
+            if you are deploying to production, you'll probably want to remove
+            the ws://* directive, and change '*' to your domain
+         */
+        "connect-src 'self' ws: wss: blob:" + domain,
+
+        // data: is used by codemirror
+        "img-src 'self' data: blob:" + domain,
+        "media-src * blob:",
+
+        // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
+        "frame-ancestors *",
+        ""
+    ];
+};
+
+Default.contentSecurity = function (domain) {
+    return Default.commonCSP(domain).join('; ') + "script-src 'self'" + domain;
+};
+
+Default.padContentSecurity = function (domain) {
+    return Default.commonCSP(domain).join('; ') + "script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain;
+};
+
+Default.httpHeaders = function () {
+    return {
+        "X-XSS-Protection": "1; mode=block",
+        "X-Content-Type-Options": "nosniff",
+        "Access-Control-Allow-Origin": "*"
+    };
+};
+
+Default.mainPages = function () {
+    return [
+        'index',
+        'privacy',
+        'terms',
+        'about',
+        'contact',
+        'what-is-cryptpad',
+        'features',
+        'faq',
+        'maintenance'
+    ];
+};
+
--- a/lib/load-config.js
+++ b/lib/load-config.js
@ -1,7 +1,7 @@
 /* jslint node: true */
 "use strict";
 var config;
-var configPath = process.env.CRYPTPAD_CONFIG || "../config/config";
+var configPath = process.env.CRYPTPAD_CONFIG || "../config/config.js";
 try {
    config = require(configPath);
    if (config.adminEmail === 'i.did.not.read.my.config@cryptpad.fr') {