overleaf/server-ce/hotfix/4.2.8/pr_19550.patch

59 lines
1.9 KiB
Diff
Raw Permalink Normal View History

diff --git a/services/web/app/src/infrastructure/CSP.js b/services/web/app/src/infrastructure/CSP.js
index 28f4f380d3d..abc11c59a48 100644
--- a/services/web/app/src/infrastructure/CSP.js
+++ b/services/web/app/src/infrastructure/CSP.js
@@ -6,6 +6,7 @@ module.exports = function ({
reportPercentage,
reportOnly = false,
exclude = [],
+ viewDirectives = {},
}) {
const header = reportOnly
? 'Content-Security-Policy-Report-Only'
@@ -33,7 +34,12 @@ module.exports = function ({
res.locals.scriptNonce = scriptNonce
- const policy = buildViewPolicy(scriptNonce, reportPercentage, reportUri)
+ const policy = buildViewPolicy(
+ scriptNonce,
+ reportPercentage,
+ reportUri,
+ viewDirectives[view]
+ )
// Note: https://csp-evaluator.withgoogle.com/ is useful for checking the policy
@@ -68,11 +74,17 @@ const buildDefaultPolicy = (reportUri, styleSrc) => {
return directives.join('; ')
}
-const buildViewPolicy = (scriptNonce, reportPercentage, reportUri) => {
+const buildViewPolicy = (
+ scriptNonce,
+ reportPercentage,
+ reportUri,
+ viewDirectives
+) => {
const directives = [
`script-src 'nonce-${scriptNonce}' 'unsafe-inline' 'strict-dynamic' https: 'report-sample'`, // only allow scripts from certain sources
`object-src 'none'`, // forbid loading an "object" element
`base-uri 'none'`, // forbid setting a "base" element
+ ...(viewDirectives ?? []),
]
if (reportUri) {
--- a/services/web/config/settings.defaults.js
+++ b/services/web/config/settings.defaults.js
@@ -868,6 +868,9 @@ module.exports = {
reportPercentage: parseFloat(process.env.CSP_REPORT_PERCENTAGE) || 0,
reportUri: process.env.CSP_REPORT_URI,
exclude: ['app/views/project/editor'],
+ viewDirectives: {
+ 'app/views/project/ide-react': [`img-src 'self' data: blob:`],
+ },
},
unsupportedBrowsers: {