mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-29 12:54:20 -05:00
Merge pull request #1633 from hedgedoc/fix/add-domain-to-connect-src
This commit is contained in:
commit
2713a70efc
4 changed files with 29 additions and 20 deletions
19
lib/config/buildDomainOriginWithProtocol.js
Normal file
19
lib/config/buildDomainOriginWithProtocol.js
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
module.exports = {
|
||||||
|
buildDomainOriginWithProtocol: function (config, baseProtocol) {
|
||||||
|
const isStandardHTTPsPort = config.protocolUseSSL && config.port === 443
|
||||||
|
const isStandardHTTPPort = !config.protocolUseSSL && config.port === 80
|
||||||
|
|
||||||
|
if (!config.domain) {
|
||||||
|
return ''
|
||||||
|
}
|
||||||
|
let origin = ''
|
||||||
|
const protocol = baseProtocol + (config.protocolUseSSL ? 's' : '') + '://'
|
||||||
|
origin = protocol + config.domain
|
||||||
|
if (config.urlAddPort) {
|
||||||
|
if (!isStandardHTTPPort || !isStandardHTTPsPort) {
|
||||||
|
origin += ':' + config.port
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return origin
|
||||||
|
}
|
||||||
|
}
|
|
@ -8,6 +8,7 @@ const deepFreeze = require('deep-freeze')
|
||||||
const { Environment, Permission } = require('./enum')
|
const { Environment, Permission } = require('./enum')
|
||||||
const logger = require('../logger')
|
const logger = require('../logger')
|
||||||
const { getGitCommit, getGitHubURL } = require('./utils')
|
const { getGitCommit, getGitHubURL } = require('./utils')
|
||||||
|
const { buildDomainOriginWithProtocol } = require('./buildDomainOriginWithProtocol')
|
||||||
|
|
||||||
const appRootPath = path.resolve(__dirname, '../../')
|
const appRootPath = path.resolve(__dirname, '../../')
|
||||||
const env = process.env.NODE_ENV || Environment.development
|
const env = process.env.NODE_ENV || Environment.development
|
||||||
|
@ -79,14 +80,6 @@ if (!(config.defaultPermission in config.permission)) {
|
||||||
config.defaultPermission = config.permission.editable
|
config.defaultPermission = config.permission.editable
|
||||||
}
|
}
|
||||||
|
|
||||||
// cache result, cannot change config in runtime!!!
|
|
||||||
config.isStandardHTTPsPort = (function isStandardHTTPsPort () {
|
|
||||||
return config.useSSL && config.port === 443
|
|
||||||
})()
|
|
||||||
config.isStandardHTTPPort = (function isStandardHTTPPort () {
|
|
||||||
return !config.useSSL && config.port === 80
|
|
||||||
})()
|
|
||||||
|
|
||||||
// Use HTTPS protocol if the internal TLS server is enabled
|
// Use HTTPS protocol if the internal TLS server is enabled
|
||||||
if (config.useSSL === true) {
|
if (config.useSSL === true) {
|
||||||
if (config.protocolUseSSL === false) {
|
if (config.protocolUseSSL === false) {
|
||||||
|
@ -96,17 +89,8 @@ if (config.useSSL === true) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// cache serverURL
|
// cache serverURL
|
||||||
config.serverURL = (function getserverurl () {
|
config.serverURL = (function () {
|
||||||
let url = ''
|
let url = buildDomainOriginWithProtocol(config, 'http')
|
||||||
if (config.domain) {
|
|
||||||
const protocol = config.protocolUseSSL ? 'https://' : 'http://'
|
|
||||||
url = protocol + config.domain
|
|
||||||
if (config.urlAddPort) {
|
|
||||||
if (!config.isStandardHTTPPort || !config.isStandardHTTPsPort) {
|
|
||||||
url += ':' + config.port
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (config.urlPath) {
|
if (config.urlPath) {
|
||||||
url += '/' + config.urlPath
|
url += '/' + config.urlPath
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,12 +1,13 @@
|
||||||
const config = require('./config')
|
const config = require('./config')
|
||||||
const { v4: uuidv4 } = require('uuid')
|
const { v4: uuidv4 } = require('uuid')
|
||||||
|
const { buildDomainOriginWithProtocol } = require('./config/buildDomainOriginWithProtocol')
|
||||||
|
|
||||||
const CspStrategy = {}
|
const CspStrategy = {}
|
||||||
|
|
||||||
const defaultDirectives = {
|
const defaultDirectives = {
|
||||||
defaultSrc: ['\'none\''],
|
defaultSrc: ['\'none\''],
|
||||||
baseUri: ['\'self\''],
|
baseUri: ['\'self\''],
|
||||||
connectSrc: ['\'self\''],
|
connectSrc: ['\'self\'', buildDomainOriginWithProtocol(config, 'ws')],
|
||||||
fontSrc: ['\'self\''],
|
fontSrc: ['\'self\''],
|
||||||
manifestSrc: ['\'self\''],
|
manifestSrc: ['\'self\''],
|
||||||
frameSrc: ['\'self\'', 'https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'],
|
frameSrc: ['\'self\'', 'https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'],
|
||||||
|
|
|
@ -1,4 +1,9 @@
|
||||||
# Release Notes
|
# Release Notes
|
||||||
|
|
||||||
|
## <i class="fa fa-tag"></i> Unreleased
|
||||||
|
### Bugfixes
|
||||||
|
- Add workaround for incorrect CSP handling in Safari
|
||||||
|
|
||||||
## <i class="fa fa-tag"></i> 1.9.0 <i class="fa fa-calendar-o"></i> 2021-09-13
|
## <i class="fa fa-tag"></i> 1.9.0 <i class="fa fa-calendar-o"></i> 2021-09-13
|
||||||
### Security Fixes
|
### Security Fixes
|
||||||
- [CVE-2021-39175: XSS vector in slide mode speaker-view](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697)
|
- [CVE-2021-39175: XSS vector in slide mode speaker-view](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697)
|
||||||
|
|
Loading…
Reference in a new issue