Merge pull request #1633 from hedgedoc/fix/add-domain-to-connect-src

2024-11-22 01:36:29 -05:00 · 2021-09-16 23:38:06 +02:00 · 2021-09-16 23:38:06 +02:00 · 2713a70efc
commit 2713a70efc
parent 98b0bf25d2 d7986b1920
4 changed files with 29 additions and 20 deletions
--- a/lib/config/buildDomainOriginWithProtocol.js
+++ b/lib/config/buildDomainOriginWithProtocol.js
@ -0,0 +1,19 @@
+module.exports = {
+  buildDomainOriginWithProtocol: function (config, baseProtocol) {
+    const isStandardHTTPsPort = config.protocolUseSSL && config.port === 443
+    const isStandardHTTPPort = !config.protocolUseSSL && config.port === 80
+
+    if (!config.domain) {
+      return ''
+    }
+    let origin = ''
+    const protocol = baseProtocol + (config.protocolUseSSL ? 's' : '') + '://'
+    origin = protocol + config.domain
+    if (config.urlAddPort) {
+      if (!isStandardHTTPPort || !isStandardHTTPsPort) {
+        origin += ':' + config.port
+      }
+    }
+    return origin
+  }
+}
--- a/lib/config/index.js
+++ b/lib/config/index.js
@ -8,6 +8,7 @@ const deepFreeze = require('deep-freeze')
 const { Environment, Permission } = require('./enum')
 const logger = require('../logger')
 const { getGitCommit, getGitHubURL } = require('./utils')
+const { buildDomainOriginWithProtocol } = require('./buildDomainOriginWithProtocol')

 const appRootPath = path.resolve(__dirname, '../../')
 const env = process.env.NODE_ENV || Environment.development
@ -79,14 +80,6 @@ if (!(config.defaultPermission in config.permission)) {
  config.defaultPermission = config.permission.editable
 }

-// cache result, cannot change config in runtime!!!
-config.isStandardHTTPsPort = (function isStandardHTTPsPort () {
-  return config.useSSL && config.port === 443
-})()
-config.isStandardHTTPPort = (function isStandardHTTPPort () {
-  return !config.useSSL && config.port === 80
-})()
-
 // Use HTTPS protocol if the internal TLS server is enabled
 if (config.useSSL === true) {
  if (config.protocolUseSSL === false) {
@ -96,17 +89,8 @@ if (config.useSSL === true) {
 }

 // cache serverURL
-config.serverURL = (function getserverurl () {
-  let url = ''
-  if (config.domain) {
-    const protocol = config.protocolUseSSL ? 'https://' : 'http://'
-    url = protocol + config.domain
-    if (config.urlAddPort) {
-      if (!config.isStandardHTTPPort || !config.isStandardHTTPsPort) {
-        url += ':' + config.port
-      }
-    }
-  }
+config.serverURL = (function () {
+  let url = buildDomainOriginWithProtocol(config, 'http')
  if (config.urlPath) {
    url += '/' + config.urlPath
  }
--- a/lib/csp.js
+++ b/lib/csp.js
@ -1,12 +1,13 @@
 const config = require('./config')
 const { v4: uuidv4 } = require('uuid')
+const { buildDomainOriginWithProtocol } = require('./config/buildDomainOriginWithProtocol')

 const CspStrategy = {}

 const defaultDirectives = {
  defaultSrc: ['\'none\''],
  baseUri: ['\'self\''],
-  connectSrc: ['\'self\''],
+  connectSrc: ['\'self\'', buildDomainOriginWithProtocol(config, 'ws')],
  fontSrc: ['\'self\''],
  manifestSrc: ['\'self\''],
  frameSrc: ['\'self\'', 'https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'],
--- a/public/docs/release-notes.md
+++ b/public/docs/release-notes.md
@ -1,4 +1,9 @@
 # Release Notes
+
+## <i class="fa fa-tag"></i> Unreleased
+### Bugfixes
+- Add workaround for incorrect CSP handling in Safari
+
 ## <i class="fa fa-tag"></i> 1.9.0 <i class="fa fa-calendar-o"></i> 2021-09-13
 ### Security Fixes
 - [CVE-2021-39175: XSS vector in slide mode speaker-view](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697)