Add config option to disallow embedding PDFs

Signed-off-by: David Mehren <git@herrmehren.de>
2024-11-24 18:56:32 -05:00 · 2021-08-06 12:58:22 +02:00 · 2021-08-06 12:58:22 +02:00 · 6c722f0ad6
commit 6c722f0ad6
parent c002c7b681
4 changed files with 11 additions and 2 deletions
--- a/docs/content/configuration.md
+++ b/docs/content/configuration.md
@ -92,6 +92,7 @@ these are rarely used for various reasons.
 | `csp.upgradeInsecureRequests` |                                | **`auto`** or `true` or `false`                                                           | By default (`auto`), insecure (HTTP) requests are upgraded to HTTPS via CSP if `useSSL` is on. To change this behaviour, set to either `true` or `false`.                 |
 | `csp.reportUri`               | `CMD_CSP_REPORTURI`            | **`undefined`**, `https://<someid>.report-uri.com/r/d/csp/enforce`                        | Allows to add a URL for CSP reports in case of violations.                                                                                                                |
 | `csp.allowFraming`            | `CMD_CSP_ALLOW_FRAMING`        | **`true`** or `false`                                                                     | Disable to disallow framing of the instance. For increased security, we strongly recommend disabling this option, if you don't need to embed your notes in other pages.   |
+| `csp.allowPDFEmbed`           | `CMD_CSP_ALLOW_PDF_EMBED`      | **`true`** or `false`                                                                     | Disable to disallow embedding PDFs. For increased security, we recommend disabling this option.                                                                           |
 | `cookiePolicy`                | `CMD_COOKIE_POLICY`            | **`lax`**, `strict` or `none`                                                             | Set a SameSite policy whether cookies are send from cross-origin. Be careful: setting a SameSite value of none without https breaks the editor.                           | 

 ## Privacy and External Requests
--- a/lib/config/default.js
+++ b/lib/config/default.js
@ -26,7 +26,8 @@ module.exports = {
    addGoogleAnalytics: false,
    upgradeInsecureRequests: 'auto',
    reportURI: undefined,
-    allowFraming: true
+    allowFraming: true,
+    allowPDFEmbed: true
  },
  cookiePolicy: 'lax',
  protocolUseSSL: false,
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@ -23,7 +23,8 @@ module.exports = {
    reportURI: process.env.CMD_CSP_REPORTURI,
    addDisqus: toBooleanConfig(process.env.CMD_CSP_ADD_DISQUS),
    addGoogleAnalytics: toBooleanConfig(process.env.CMD_CSP_ADD_GOOGLE_ANALYTICS),
-    allowFraming: toBooleanConfig(process.env.CMD_CSP_ALLOW_FRAMING)
+    allowFraming: toBooleanConfig(process.env.CMD_CSP_ALLOW_FRAMING),
+    allowPDFEmbed: toBooleanConfig(process.env.CMD_CSP_ALLOW_PDF_EMBED)
  },
  cookiePolicy: process.env.CMD_COOKIE_POLICY,
  protocolUseSSL: toBooleanConfig(process.env.CMD_PROTOCOL_USESSL),
--- a/lib/csp.js
+++ b/lib/csp.js
@ -49,6 +49,11 @@ const disallowFramingDirectives = {
  frameAncestors: ['\'self\'']
 }

+const allowPDFEmbedDirectives = {
+  objectSrc: ['*'], // Chrome and Firefox treat PDFs as objects
+  frameSrc: ['*'] // Chrome also checks PDFs against frame-src
+}
+
 CspStrategy.computeDirectives = function () {
  const directives = {}
  mergeDirectives(directives, config.csp.directives)
@ -58,6 +63,7 @@ CspStrategy.computeDirectives = function () {
  mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
  mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)
  mergeDirectivesIf(!config.csp.allowFraming, directives, disallowFramingDirectives)
+  mergeDirectivesIf(config.csp.allowPDFEmbed, directives, allowPDFEmbedDirectives)
  addInlineScriptExceptions(directives)
  addUpgradeUnsafeRequestsOptionTo(directives)
  addReportURI(directives)