From 9499add64c6bef1f4924916c0ca39841fec56ee7 Mon Sep 17 00:00:00 2001 From: David Mehren Date: Tue, 6 Jul 2021 21:17:56 +0200 Subject: [PATCH 01/14] Tighten up default Content-Security-Policy This commit changes the - default-src to none, so everything is disallowed by default - base-uri, connect-uri and font-src to self, so these are restricted to the current origin - frame-src to allow SlideShare, Vimeo and YouTube - script-src to the specific paths that are used by HedgeDoc to serve scripts. This explicitly does not include the /uploads route - style-src to the specific paths that are used by HedgeDoc to serve styles - Signed-off-by: David Mehren --- lib/csp.js | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/lib/csp.js b/lib/csp.js index 74404413..fa2f95bb 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -4,11 +4,22 @@ const { v4: uuidv4 } = require('uuid') const CspStrategy = {} const defaultDirectives = { - defaultSrc: ['\'self\''], - scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net'], - imgSrc: ['*'], - styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views - fontSrc: ['\'self\'', 'data:', 'https://public.slidesharecdn.com'], + defaultSrc: ['\'none\''], + baseUri: ['\'self\''], + connectSrc: ['\'self\''], + fontSrc: ['\'self\''], + frameSrc: ['https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'], + imgSrc: ['*'], // we allow using arbitrary images + scriptSrc: [ + config.serverURL + '/build/', + config.serverURL + '/js/', + config.serverURL + '/config', + 'https://gist.github.com/', + 'https://vimeo.com/api/oembed.json', + 'https://www.slideshare.net/api/oembed/2', + '\'unsafe-inline\'' // this is ignored by browsers supporting nonces/hashes + ], + styleSrc: [config.serverURL + '/build/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/ mediaSrc: ['*'], childSrc: ['*'], @@ -43,9 +54,7 @@ CspStrategy.computeDirectives = function () { mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives) mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives) mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives) - if (!areAllInlineScriptsAllowed(directives)) { - addInlineScriptExceptions(directives) - } + addInlineScriptExceptions(directives) addUpgradeUnsafeRequestsOptionTo(directives) addReportURI(directives) return directives From bd44cbc16c7b2bf4961d5a2826f83f564767a20a Mon Sep 17 00:00:00 2001 From: David Mehren Date: Sun, 18 Jul 2021 09:59:14 +0200 Subject: [PATCH 02/14] Add config option to disallow framing via CSP Signed-off-by: David Mehren --- docs/content/configuration.md | 1 + lib/config/default.js | 3 ++- lib/config/environment.js | 3 ++- lib/csp.js | 11 +++++++---- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/docs/content/configuration.md b/docs/content/configuration.md index c6e3fc3e..95ecada2 100644 --- a/docs/content/configuration.md +++ b/docs/content/configuration.md @@ -91,6 +91,7 @@ these are rarely used for various reasons. | `csp.addGoogleAnalytics` | `CMD_CSP_ADD_GOOGLE_ANALYTICS` | **`false`** or `true` | Enable to allow users to add Google Analytics to their notes. We don't recommend enabling this option, as it increases the attack surface of XSS attacks. | | `csp.upgradeInsecureRequests` | | **`auto`** or `true` or `false` | By default (`auto`), insecure (HTTP) requests are upgraded to HTTPS via CSP if `useSSL` is on. To change this behaviour, set to either `true` or `false`. | | `csp.reportUri` | `CMD_CSP_REPORTURI` | **`undefined`**, `https://.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations. | +| `csp.allowFraming` | `CMD_CSP_ALLOW_FRAMING` | **`true`** or `false` | Disable to disallow framing of the instance. For increased security, we strongly recommend disabling this option, if you don't need to embed your notes in other pages. | | `cookiePolicy` | `CMD_COOKIE_POLICY` | **`lax`**, `strict` or `none` | Set a SameSite policy whether cookies are send from cross-origin. Be careful: setting a SameSite value of none without https breaks the editor. | ## Privacy and External Requests diff --git a/lib/config/default.js b/lib/config/default.js index c1f3f973..89defb25 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -25,7 +25,8 @@ module.exports = { addDisqus: false, addGoogleAnalytics: false, upgradeInsecureRequests: 'auto', - reportURI: undefined + reportURI: undefined, + allowFraming: true }, cookiePolicy: 'lax', protocolUseSSL: false, diff --git a/lib/config/environment.js b/lib/config/environment.js index 1a43a88f..0464f7fb 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -22,7 +22,8 @@ module.exports = { enable: toBooleanConfig(process.env.CMD_CSP_ENABLE), reportURI: process.env.CMD_CSP_REPORTURI, addDisqus: toBooleanConfig(process.env.CMD_CSP_ADD_DISQUS), - addGoogleAnalytics: toBooleanConfig(process.env.CMD_CSP_ADD_GOOGLE_ANALYTICS) + addGoogleAnalytics: toBooleanConfig(process.env.CMD_CSP_ADD_GOOGLE_ANALYTICS), + allowFraming: toBooleanConfig(process.env.CMD_CSP_ALLOW_FRAMING) }, cookiePolicy: process.env.CMD_COOKIE_POLICY, protocolUseSSL: toBooleanConfig(process.env.CMD_PROTOCOL_USESSL), diff --git a/lib/csp.js b/lib/csp.js index fa2f95bb..98996073 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -21,9 +21,7 @@ const defaultDirectives = { ], styleSrc: [config.serverURL + '/build/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/ - mediaSrc: ['*'], - childSrc: ['*'], - connectSrc: ['*'] + formAction: ['\'self\''] } const cdnDirectives = { @@ -46,6 +44,10 @@ const dropboxDirectives = { scriptSrc: ['https://www.dropbox.com', '\'unsafe-inline\''] } +const disallowFramingDirectives = { + frameAncestors: ['\'self\''] +} + CspStrategy.computeDirectives = function () { const directives = {} mergeDirectives(directives, config.csp.directives) @@ -54,6 +56,7 @@ CspStrategy.computeDirectives = function () { mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives) mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives) mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives) + mergeDirectivesIf(!config.csp.allowFraming, directives, disallowFramingDirectives) addInlineScriptExceptions(directives) addUpgradeUnsafeRequestsOptionTo(directives) addReportURI(directives) @@ -92,7 +95,7 @@ function getCspNonce (req, res) { } function addUpgradeUnsafeRequestsOptionTo (directives) { - if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) { + if (config.csp.upgradeInsecureRequests === 'auto' && (config.useSSL || config.protocolUseSSL)) { directives.upgradeInsecureRequests = [] } else if (config.csp.upgradeInsecureRequests === true) { directives.upgradeInsecureRequests = [] From 1c0af5f75df459503084c041c750cc2e8e273623 Mon Sep 17 00:00:00 2001 From: David Mehren Date: Thu, 5 Aug 2021 23:06:28 +0200 Subject: [PATCH 03/14] Cleanup csp.js Signed-off-by: David Mehren --- lib/csp.js | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/lib/csp.js b/lib/csp.js index 98996073..cebc050c 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -79,10 +79,6 @@ function mergeDirectivesIf (condition, existingDirectives, newDirectives) { } } -function areAllInlineScriptsAllowed (directives) { - return directives.scriptSrc.indexOf('\'unsafe-inline\'') !== -1 -} - function addInlineScriptExceptions (directives) { directives.scriptSrc.push(getCspNonce) // TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html @@ -91,7 +87,7 @@ function addInlineScriptExceptions (directives) { } function getCspNonce (req, res) { - return "'nonce-" + res.locals.nonce + "'" + return '\'nonce-' + res.locals.nonce + '\'' } function addUpgradeUnsafeRequestsOptionTo (directives) { From 164224207802e2dc49833ae6788e23c501403679 Mon Sep 17 00:00:00 2001 From: David Mehren Date: Fri, 6 Aug 2021 12:09:20 +0200 Subject: [PATCH 04/14] CSP: Allow styles from /css/ Reveal.js styles are hosted there Signed-off-by: David Mehren --- lib/csp.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/csp.js b/lib/csp.js index cebc050c..b343ea01 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -19,7 +19,7 @@ const defaultDirectives = { 'https://www.slideshare.net/api/oembed/2', '\'unsafe-inline\'' // this is ignored by browsers supporting nonces/hashes ], - styleSrc: [config.serverURL + '/build/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views + styleSrc: [config.serverURL + '/build/', config.serverURL + '/css/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/ formAction: ['\'self\''] } From 46cd60c510ebb1c6b223a90ca009276149bf8efa Mon Sep 17 00:00:00 2001 From: David Mehren Date: Fri, 6 Aug 2021 12:11:08 +0200 Subject: [PATCH 05/14] CSP: Allow self as frame-src The reveal.js speaker view uses frames to display the slides Signed-off-by: David Mehren --- lib/csp.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/csp.js b/lib/csp.js index b343ea01..c5400764 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -8,7 +8,7 @@ const defaultDirectives = { baseUri: ['\'self\''], connectSrc: ['\'self\''], fontSrc: ['\'self\''], - frameSrc: ['https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'], + frameSrc: ['\'self\'', 'https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'], imgSrc: ['*'], // we allow using arbitrary images scriptSrc: [ config.serverURL + '/build/', From c002c7b681b4a58ea9f5727195984fafb995ccae Mon Sep 17 00:00:00 2001 From: David Mehren Date: Fri, 6 Aug 2021 12:11:53 +0200 Subject: [PATCH 06/14] CSP: Allow self as manifest-src Chrome complains otherwise, as it can't download the Web Manifest. Signed-off-by: David Mehren --- lib/csp.js | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/csp.js b/lib/csp.js index c5400764..cc36b532 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -8,6 +8,7 @@ const defaultDirectives = { baseUri: ['\'self\''], connectSrc: ['\'self\''], fontSrc: ['\'self\''], + manifestSrc: ['\'self\''], frameSrc: ['\'self\'', 'https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'], imgSrc: ['*'], // we allow using arbitrary images scriptSrc: [ From 6c722f0ad65fd0350db8c75acb9a8a7c33d8ad47 Mon Sep 17 00:00:00 2001 From: David Mehren Date: Fri, 6 Aug 2021 12:58:22 +0200 Subject: [PATCH 07/14] Add config option to disallow embedding PDFs Signed-off-by: David Mehren --- docs/content/configuration.md | 1 + lib/config/default.js | 3 ++- lib/config/environment.js | 3 ++- lib/csp.js | 6 ++++++ 4 files changed, 11 insertions(+), 2 deletions(-) diff --git a/docs/content/configuration.md b/docs/content/configuration.md index 95ecada2..b907f85d 100644 --- a/docs/content/configuration.md +++ b/docs/content/configuration.md @@ -92,6 +92,7 @@ these are rarely used for various reasons. | `csp.upgradeInsecureRequests` | | **`auto`** or `true` or `false` | By default (`auto`), insecure (HTTP) requests are upgraded to HTTPS via CSP if `useSSL` is on. To change this behaviour, set to either `true` or `false`. | | `csp.reportUri` | `CMD_CSP_REPORTURI` | **`undefined`**, `https://.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations. | | `csp.allowFraming` | `CMD_CSP_ALLOW_FRAMING` | **`true`** or `false` | Disable to disallow framing of the instance. For increased security, we strongly recommend disabling this option, if you don't need to embed your notes in other pages. | +| `csp.allowPDFEmbed` | `CMD_CSP_ALLOW_PDF_EMBED` | **`true`** or `false` | Disable to disallow embedding PDFs. For increased security, we recommend disabling this option. | | `cookiePolicy` | `CMD_COOKIE_POLICY` | **`lax`**, `strict` or `none` | Set a SameSite policy whether cookies are send from cross-origin. Be careful: setting a SameSite value of none without https breaks the editor. | ## Privacy and External Requests diff --git a/lib/config/default.js b/lib/config/default.js index 89defb25..c687e484 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -26,7 +26,8 @@ module.exports = { addGoogleAnalytics: false, upgradeInsecureRequests: 'auto', reportURI: undefined, - allowFraming: true + allowFraming: true, + allowPDFEmbed: true }, cookiePolicy: 'lax', protocolUseSSL: false, diff --git a/lib/config/environment.js b/lib/config/environment.js index 0464f7fb..cd83dc12 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -23,7 +23,8 @@ module.exports = { reportURI: process.env.CMD_CSP_REPORTURI, addDisqus: toBooleanConfig(process.env.CMD_CSP_ADD_DISQUS), addGoogleAnalytics: toBooleanConfig(process.env.CMD_CSP_ADD_GOOGLE_ANALYTICS), - allowFraming: toBooleanConfig(process.env.CMD_CSP_ALLOW_FRAMING) + allowFraming: toBooleanConfig(process.env.CMD_CSP_ALLOW_FRAMING), + allowPDFEmbed: toBooleanConfig(process.env.CMD_CSP_ALLOW_PDF_EMBED) }, cookiePolicy: process.env.CMD_COOKIE_POLICY, protocolUseSSL: toBooleanConfig(process.env.CMD_PROTOCOL_USESSL), diff --git a/lib/csp.js b/lib/csp.js index cc36b532..b559d8d3 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -49,6 +49,11 @@ const disallowFramingDirectives = { frameAncestors: ['\'self\''] } +const allowPDFEmbedDirectives = { + objectSrc: ['*'], // Chrome and Firefox treat PDFs as objects + frameSrc: ['*'] // Chrome also checks PDFs against frame-src +} + CspStrategy.computeDirectives = function () { const directives = {} mergeDirectives(directives, config.csp.directives) @@ -58,6 +63,7 @@ CspStrategy.computeDirectives = function () { mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives) mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives) mergeDirectivesIf(!config.csp.allowFraming, directives, disallowFramingDirectives) + mergeDirectivesIf(config.csp.allowPDFEmbed, directives, allowPDFEmbedDirectives) addInlineScriptExceptions(directives) addUpgradeUnsafeRequestsOptionTo(directives) addReportURI(directives) From 832f3522b3e7f73f917fe37ce9de30114fdfad77 Mon Sep 17 00:00:00 2001 From: David Mehren Date: Fri, 6 Aug 2021 13:37:37 +0200 Subject: [PATCH 08/14] Add new CSP config options to release notes Signed-off-by: David Mehren --- public/docs/release-notes.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/public/docs/release-notes.md b/public/docs/release-notes.md index 7134a3d9..0f40968d 100644 --- a/public/docs/release-notes.md +++ b/public/docs/release-notes.md @@ -8,6 +8,11 @@ ### Features - HedgeDoc now automatically retries connecting to the database up to 30 times on startup. +- This release introduces the `csp.allowFraming` config option, which controls whether embedding a HedgeDoc instance + in other webpages is allowed. We **strongly recommend disabling** this option to reduce the risk of XSS attacks. +- This release introduces the `csp.allowPDFEmbed` config option, which controls whether embedding PDFs inside HedgeDoc + notes is allowed. We recommend disabling this option if you don't use the feature, to reduce the attack surface of + XSS attacks. ### Bugfixes - Fix crash when trying to read the current Git commit on startup From 2ac89d33344dc4cdd8945648953d89984d63edab Mon Sep 17 00:00:00 2001 From: David Mehren Date: Fri, 6 Aug 2021 13:37:59 +0200 Subject: [PATCH 09/14] Use consistent wording in CSP docs Signed-off-by: David Mehren --- docs/content/configuration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/configuration.md b/docs/content/configuration.md index b907f85d..501d0671 100644 --- a/docs/content/configuration.md +++ b/docs/content/configuration.md @@ -91,8 +91,8 @@ these are rarely used for various reasons. | `csp.addGoogleAnalytics` | `CMD_CSP_ADD_GOOGLE_ANALYTICS` | **`false`** or `true` | Enable to allow users to add Google Analytics to their notes. We don't recommend enabling this option, as it increases the attack surface of XSS attacks. | | `csp.upgradeInsecureRequests` | | **`auto`** or `true` or `false` | By default (`auto`), insecure (HTTP) requests are upgraded to HTTPS via CSP if `useSSL` is on. To change this behaviour, set to either `true` or `false`. | | `csp.reportUri` | `CMD_CSP_REPORTURI` | **`undefined`**, `https://.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations. | -| `csp.allowFraming` | `CMD_CSP_ALLOW_FRAMING` | **`true`** or `false` | Disable to disallow framing of the instance. For increased security, we strongly recommend disabling this option, if you don't need to embed your notes in other pages. | -| `csp.allowPDFEmbed` | `CMD_CSP_ALLOW_PDF_EMBED` | **`true`** or `false` | Disable to disallow embedding PDFs. For increased security, we recommend disabling this option. | +| `csp.allowFraming` | `CMD_CSP_ALLOW_FRAMING` | **`true`** or `false` | Disable to disallow framing of the instance. We **strongly recommend disabling** this option, as it increases the attack surface of XSS attacks. | +| `csp.allowPDFEmbed` | `CMD_CSP_ALLOW_PDF_EMBED` | **`true`** or `false` | Disable to disallow embedding PDFs. We recommend disabling this option, as it increases the attack surface of XSS attacks. | | `cookiePolicy` | `CMD_COOKIE_POLICY` | **`lax`**, `strict` or `none` | Set a SameSite policy whether cookies are send from cross-origin. Be careful: setting a SameSite value of none without https breaks the editor. | ## Privacy and External Requests From 676073976175c22eed34afcdcbc2ba8ebbc5a2ca Mon Sep 17 00:00:00 2001 From: David Mehren Date: Sun, 8 Aug 2021 18:19:37 +0200 Subject: [PATCH 10/14] Fix CSP tests by filtering out empty array fields In 25f5fd2a the `media-src`, `child-src` and `connect-src` settings were removed, as they are filled with the `default-src` automatically. This caused a bug in the test code, as it now tried to access a nonexistent field of `unextendedCSP`. This commit adds a filter that removes the empty array field before converting to a string. Signed-off-by: David Mehren --- test/csp.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/csp.js b/test/csp.js index 15412022..9257eed9 100644 --- a/test/csp.js +++ b/test/csp.js @@ -144,7 +144,7 @@ describe('Content security policies', function () { const variations = ['default', 'script', 'img', 'style', 'font', 'object', 'media', 'child', 'connect'] for (let i = 0; i < variations.length; i++) { - assert.strictEqual(csp.computeDirectives()[variations[i] + 'Src'].toString(), ['https://' + variations[i] + '.example.com'].concat(unextendedCSP[variations[i] + 'Src']).toString()) + assert.strictEqual(csp.computeDirectives()[variations[i] + 'Src'].toString(), ['https://' + variations[i] + '.example.com'].concat(unextendedCSP[variations[i] + 'Src']).filter(x => x != null).toString()) } }) From 31bfd6d779ccb62d2bbd4990e0580cebed13af0d Mon Sep 17 00:00:00 2001 From: David Mehren Date: Mon, 9 Aug 2021 09:08:57 +0200 Subject: [PATCH 11/14] Clarify `csp.allowFraming` docs Signed-off-by: David Mehren --- docs/content/configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/configuration.md b/docs/content/configuration.md index 501d0671..51f82581 100644 --- a/docs/content/configuration.md +++ b/docs/content/configuration.md @@ -91,7 +91,7 @@ these are rarely used for various reasons. | `csp.addGoogleAnalytics` | `CMD_CSP_ADD_GOOGLE_ANALYTICS` | **`false`** or `true` | Enable to allow users to add Google Analytics to their notes. We don't recommend enabling this option, as it increases the attack surface of XSS attacks. | | `csp.upgradeInsecureRequests` | | **`auto`** or `true` or `false` | By default (`auto`), insecure (HTTP) requests are upgraded to HTTPS via CSP if `useSSL` is on. To change this behaviour, set to either `true` or `false`. | | `csp.reportUri` | `CMD_CSP_REPORTURI` | **`undefined`**, `https://.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations. | -| `csp.allowFraming` | `CMD_CSP_ALLOW_FRAMING` | **`true`** or `false` | Disable to disallow framing of the instance. We **strongly recommend disabling** this option, as it increases the attack surface of XSS attacks. | +| `csp.allowFraming` | `CMD_CSP_ALLOW_FRAMING` | **`true`** or `false` | Disable to disallow embedding of the instance via iframe. We **strongly recommend disabling** this option, as it increases the attack surface of XSS attacks. | | `csp.allowPDFEmbed` | `CMD_CSP_ALLOW_PDF_EMBED` | **`true`** or `false` | Disable to disallow embedding PDFs. We recommend disabling this option, as it increases the attack surface of XSS attacks. | | `cookiePolicy` | `CMD_COOKIE_POLICY` | **`lax`**, `strict` or `none` | Set a SameSite policy whether cookies are send from cross-origin. Be careful: setting a SameSite value of none without https breaks the editor. | From d56ff5bdf3c632c9d381606aed6a5d4ae101e63a Mon Sep 17 00:00:00 2001 From: David Mehren Date: Thu, 12 Aug 2021 21:07:59 +0200 Subject: [PATCH 12/14] Fix slideshare CSP error by always using HTTPS Signed-off-by: David Mehren --- public/js/extra.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/public/js/extra.js b/public/js/extra.js index 6e3b0ed0..161d8a59 100644 --- a/public/js/extra.js +++ b/public/js/extra.js @@ -453,7 +453,7 @@ export function finishView (view) { .each((key, value) => { $.ajax({ type: 'GET', - url: `//www.slideshare.net/api/oembed/2?url=http://www.slideshare.net/${$(value).attr('data-slideshareid')}&format=json`, + url: `https://www.slideshare.net/api/oembed/2?url=https://www.slideshare.net/${$(value).attr('data-slideshareid')}&format=json`, jsonp: 'callback', dataType: 'jsonp', success (data) { From 8973e85ba64778da6e9fcce95fe2a6c209b7435c Mon Sep 17 00:00:00 2001 From: David Mehren Date: Thu, 12 Aug 2021 21:14:31 +0200 Subject: [PATCH 13/14] Hardcode YouTube and Vimeo URLs to HTTPS Signed-off-by: David Mehren --- public/js/extra.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/public/js/extra.js b/public/js/extra.js index 161d8a59..616d43a3 100644 --- a/public/js/extra.js +++ b/public/js/extra.js @@ -284,12 +284,12 @@ export function finishView (view) { // youtube view.find('div.youtube.raw').removeClass('raw') .click(function () { - imgPlayiframe(this, '//www.youtube.com/embed/') + imgPlayiframe(this, 'https://www.youtube.com/embed/') }) // vimeo view.find('div.vimeo.raw').removeClass('raw') .click(function () { - imgPlayiframe(this, '//player.vimeo.com/video/') + imgPlayiframe(this, 'https://player.vimeo.com/video/') }) .each((key, value) => { const vimeoLink = `https://vimeo.com/${$(value).attr('data-videoid')}` @@ -1118,7 +1118,7 @@ const youtubePlugin = new Plugin( if (!videoid) return const div = $('
') div.attr('data-videoid', videoid) - const thumbnailSrc = `//img.youtube.com/vi/${videoid}/hqdefault.jpg` + const thumbnailSrc = `https://img.youtube.com/vi/${videoid}/hqdefault.jpg` const image = `` div.append(image) const icon = '' From e6d167c63cdcd345eb00e1dccfbfad44d81c4965 Mon Sep 17 00:00:00 2001 From: David Mehren Date: Sun, 15 Aug 2021 00:35:57 +0200 Subject: [PATCH 14/14] CSP: Allow all sources for media Otherwise, `video` tags and reveal background video does not work Signed-off-by: David Mehren --- lib/csp.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/csp.js b/lib/csp.js index b559d8d3..52a8d4b8 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -22,7 +22,8 @@ const defaultDirectives = { ], styleSrc: [config.serverURL + '/build/', config.serverURL + '/css/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/ - formAction: ['\'self\''] + formAction: ['\'self\''], + mediaSrc: ['*'] } const cdnDirectives = {