From 6c722f0ad65fd0350db8c75acb9a8a7c33d8ad47 Mon Sep 17 00:00:00 2001 From: David Mehren Date: Fri, 6 Aug 2021 12:58:22 +0200 Subject: [PATCH] Add config option to disallow embedding PDFs Signed-off-by: David Mehren --- docs/content/configuration.md | 1 + lib/config/default.js | 3 ++- lib/config/environment.js | 3 ++- lib/csp.js | 6 ++++++ 4 files changed, 11 insertions(+), 2 deletions(-) diff --git a/docs/content/configuration.md b/docs/content/configuration.md index 95ecada23..b907f85d5 100644 --- a/docs/content/configuration.md +++ b/docs/content/configuration.md @@ -92,6 +92,7 @@ these are rarely used for various reasons. | `csp.upgradeInsecureRequests` | | **`auto`** or `true` or `false` | By default (`auto`), insecure (HTTP) requests are upgraded to HTTPS via CSP if `useSSL` is on. To change this behaviour, set to either `true` or `false`. | | `csp.reportUri` | `CMD_CSP_REPORTURI` | **`undefined`**, `https://.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations. | | `csp.allowFraming` | `CMD_CSP_ALLOW_FRAMING` | **`true`** or `false` | Disable to disallow framing of the instance. For increased security, we strongly recommend disabling this option, if you don't need to embed your notes in other pages. | +| `csp.allowPDFEmbed` | `CMD_CSP_ALLOW_PDF_EMBED` | **`true`** or `false` | Disable to disallow embedding PDFs. For increased security, we recommend disabling this option. | | `cookiePolicy` | `CMD_COOKIE_POLICY` | **`lax`**, `strict` or `none` | Set a SameSite policy whether cookies are send from cross-origin. Be careful: setting a SameSite value of none without https breaks the editor. | ## Privacy and External Requests diff --git a/lib/config/default.js b/lib/config/default.js index 89defb25e..c687e4841 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -26,7 +26,8 @@ module.exports = { addGoogleAnalytics: false, upgradeInsecureRequests: 'auto', reportURI: undefined, - allowFraming: true + allowFraming: true, + allowPDFEmbed: true }, cookiePolicy: 'lax', protocolUseSSL: false, diff --git a/lib/config/environment.js b/lib/config/environment.js index 0464f7fb9..cd83dc12f 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -23,7 +23,8 @@ module.exports = { reportURI: process.env.CMD_CSP_REPORTURI, addDisqus: toBooleanConfig(process.env.CMD_CSP_ADD_DISQUS), addGoogleAnalytics: toBooleanConfig(process.env.CMD_CSP_ADD_GOOGLE_ANALYTICS), - allowFraming: toBooleanConfig(process.env.CMD_CSP_ALLOW_FRAMING) + allowFraming: toBooleanConfig(process.env.CMD_CSP_ALLOW_FRAMING), + allowPDFEmbed: toBooleanConfig(process.env.CMD_CSP_ALLOW_PDF_EMBED) }, cookiePolicy: process.env.CMD_COOKIE_POLICY, protocolUseSSL: toBooleanConfig(process.env.CMD_PROTOCOL_USESSL), diff --git a/lib/csp.js b/lib/csp.js index cc36b5324..b559d8d3c 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -49,6 +49,11 @@ const disallowFramingDirectives = { frameAncestors: ['\'self\''] } +const allowPDFEmbedDirectives = { + objectSrc: ['*'], // Chrome and Firefox treat PDFs as objects + frameSrc: ['*'] // Chrome also checks PDFs against frame-src +} + CspStrategy.computeDirectives = function () { const directives = {} mergeDirectives(directives, config.csp.directives) @@ -58,6 +63,7 @@ CspStrategy.computeDirectives = function () { mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives) mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives) mergeDirectivesIf(!config.csp.allowFraming, directives, disallowFramingDirectives) + mergeDirectivesIf(config.csp.allowPDFEmbed, directives, allowPDFEmbedDirectives) addInlineScriptExceptions(directives) addUpgradeUnsafeRequestsOptionTo(directives) addReportURI(directives)