update recommended settings for embedding to permit element desktop

2022-04-04 12:31:40 +05:30 · 2022-04-04 12:31:40 +05:30 · 404b89eb28
parent 841884c631
commit 404b89eb28
3 changed files with 9 additions and 5 deletions
--- a/docs/example.nginx.conf
+++ b/docs/example.nginx.conf
@ -125,8 +125,12 @@ server {
    # script-src specifies valid sources for javascript, including inline handlers
    set $scriptSrc  "'self' resource: https://${main_domain}";

-    # XXX frame-ancestors defines where your cryptpad instance can be embedded...
-    set $frameAncestors "https://${main_domain} $https://${sandbox_domain}";
+    # frame-ancestors specifies which origins can embed your CryptPad instance
+    # this must include 'self' and your main domain (over HTTPS) in order for CryptPad to work
+    # if you have enabled remote embedding via the admin panel then this must be more permissive.
+    # note: cryptpad.fr permits web pages served via https: and vector: (element desktop app)
+    set $frameAncestors "'self' https://${main_domain}";
+    # set $frameAncestors "'self' https: vector:";

    set $unsafe 0;
    # the following assets are loaded via the sandbox domain
--- a/lib/defaults.js
+++ b/lib/defaults.js
@ -32,7 +32,7 @@ Default.commonCSP = function (Env) {
        "media-src blob:",

        // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
-        Env.enableEmbedding?  `frame-ancestors 'self' ${Env.protocol}`: `frame-ancestors ${domain}${sandbox}`,
+        Env.enableEmbedding?  `frame-ancestors 'self' ${Env.protocol} vector:`: `frame-ancestors 'self' ${domain}`,
        "worker-src 'self'",
        ""
    ];
--- a/www/checkup/main.js
+++ b/www/checkup/main.js
@ -990,7 +990,7 @@ define([

                'img-src': ["'self'", 'data:', 'blob:', $outer],
                'media-src': ['blob:'],
-                'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol]: [$outer, $sandbox],
+                'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol, 'vector:']: ["'self'", $outer],
                'worker-src': ["'self'"],
            });
            cb(result);
@ -1028,7 +1028,7 @@ define([
                ],
                'img-src': ["'self'", 'data:', 'blob:', $outer],
                'media-src': ['blob:'],
-                'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol]: [$outer, $sandbox],
+                'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol, 'vector:']: ["'self'", $outer],
                'worker-src': ["'self'"],//, $outer, $sandbox],
            });