Add config option to disallow embedding PDFs

Signed-off-by: David Mehren <git@herrmehren.de>

lib/config/default.js

@@ -26,7 +26,8 @@ module.exports = {
     addGoogleAnalytics: false,
     upgradeInsecureRequests: 'auto',
     reportURI: undefined,
-    allowFraming: true
+    allowFraming: true,
+    allowPDFEmbed: true
   },
   cookiePolicy: 'lax',
   protocolUseSSL: false,

lib/config/environment.js

@@ -23,7 +23,8 @@ module.exports = {
     reportURI: process.env.CMD_CSP_REPORTURI,
     addDisqus: toBooleanConfig(process.env.CMD_CSP_ADD_DISQUS),
     addGoogleAnalytics: toBooleanConfig(process.env.CMD_CSP_ADD_GOOGLE_ANALYTICS),
-    allowFraming: toBooleanConfig(process.env.CMD_CSP_ALLOW_FRAMING)
+    allowFraming: toBooleanConfig(process.env.CMD_CSP_ALLOW_FRAMING),
+    allowPDFEmbed: toBooleanConfig(process.env.CMD_CSP_ALLOW_PDF_EMBED)
   },
   cookiePolicy: process.env.CMD_COOKIE_POLICY,
   protocolUseSSL: toBooleanConfig(process.env.CMD_PROTOCOL_USESSL),

lib/csp.js

@@ -49,6 +49,11 @@ const disallowFramingDirectives = {
   frameAncestors: ['\'self\'']
 }
 
+const allowPDFEmbedDirectives = {
+  objectSrc: ['*'], // Chrome and Firefox treat PDFs as objects
+  frameSrc: ['*'] // Chrome also checks PDFs against frame-src
+}
+
 CspStrategy.computeDirectives = function () {
   const directives = {}
   mergeDirectives(directives, config.csp.directives)
@@ -58,6 +63,7 @@ CspStrategy.computeDirectives = function () {
   mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
   mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)
   mergeDirectivesIf(!config.csp.allowFraming, directives, disallowFramingDirectives)
+  mergeDirectivesIf(config.csp.allowPDFEmbed, directives, allowPDFEmbedDirectives)
   addInlineScriptExceptions(directives)
   addUpgradeUnsafeRequestsOptionTo(directives)
   addReportURI(directives)