tolerate trailing slashes in httpSafeDomain

server.js

@@ -42,7 +42,8 @@ if (process.env.PACKAGE) {
         throw new Error("No 'httpUnsafeOrigin' provided");
     }
 
-    config.httpUnsafeOrigin = config.httpUnsafeOrigin.trim().replace(/\/$/, '');
+    config.httpUnsafeOrigin = config.httpUnsafeOrigin.trim();
+    config.httpSafeOrigin = config.httpSafeOrigin.trim().replace(/\/$/, '');
 
     // fall back to listening on a local address
     // if httpAddress is not a string
@@ -125,15 +126,12 @@ var setHeaders = (function () {
     if (Object.keys(headers).length) {
         return function (req, res) {
             const h = [
-                    /^\/+pad\/inner\.html.*/,
+                    /^\/pad\/inner\.html.*/,
                     /^\/common\/onlyoffice\/.*\/index\.html.*/,
-                    /^\/+(sheet|ooslide|oodoc)\/in.*\.html.*/,
+                    /^\/(sheet|ooslide|oodoc)\/inner\.html.*/,
                 ].some((regex) => {
-                    if (regex.test('' + req.url)) {
+                    return regex.test(req.url);
-                        console.log('CSP MATCH: [%s] <= [%s]', regex, req.url);
+                }) ? padHeaders : headers;
-                        return true;
-                    }
-                }) ? padHeaders: headers;
             for (let header in h) { res.setHeader(header, h[header]); }
         };
     }

www/common/sframe-app-outer.js

@@ -31,10 +31,6 @@ define([
             ApiConfig.httpSafeOrigin + window.location.pathname + 'inner.html?' +
                 requireConfig.urlArgs + '#' + encodeURIComponent(JSON.stringify(req)));
 
-        console.log(ApiConfig.httpSafeOrigin);
-
-        console.error(document.getElementById('sbox-iframe').getAttribute('src'));
-
         // This is a cheap trick to avoid loading sframe-channel in parallel with the
         // loading screen setup.
         var done = waitFor();