mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-28 05:54:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add config option to disallow embedding PDFs

Browse source 
Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
David Mehren 2021-08-06 12:58:22 +02:00
parent c002c7b681
commit 6c722f0ad6
No known key found for this signature in database
GPG key ID: 185982BA4C42B7C3
4 changed files with 11 additions and 2 deletions

6
lib/csp.js
View file

@ -49,6 +49,11 @@ const disallowFramingDirectives = {
frameAncestors: ['\'self\'']
}
const allowPDFEmbedDirectives = {
objectSrc: ['*'], // Chrome and Firefox treat PDFs as objects
frameSrc: ['*'] // Chrome also checks PDFs against frame-src
}
CspStrategy.computeDirectives = function () {
const directives = {}
mergeDirectives(directives, config.csp.directives)
@ -58,6 +63,7 @@ CspStrategy.computeDirectives = function () {
mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)
mergeDirectivesIf(!config.csp.allowFraming, directives, disallowFramingDirectives)
mergeDirectivesIf(config.csp.allowPDFEmbed, directives, allowPDFEmbedDirectives)
addInlineScriptExceptions(directives)
addUpgradeUnsafeRequestsOptionTo(directives)
addReportURI(directives)