Add config option to disallow embedding PDFs

Signed-off-by: David Mehren <git@herrmehren.de>

docs/content/configuration.md

@@ -92,6 +92,7 @@ these are rarely used for various reasons.
 | `csp.upgradeInsecureRequests` |                                | **`auto`** or `true` or `false`                                                           | By default (`auto`), insecure (HTTP) requests are upgraded to HTTPS via CSP if `useSSL` is on. To change this behaviour, set to either `true` or `false`.                 |
 | `csp.reportUri`               | `CMD_CSP_REPORTURI`            | **`undefined`**, `https://<someid>.report-uri.com/r/d/csp/enforce`                        | Allows to add a URL for CSP reports in case of violations.                                                                                                                |
 | `csp.allowFraming`            | `CMD_CSP_ALLOW_FRAMING`        | **`true`** or `false`                                                                     | Disable to disallow framing of the instance. For increased security, we strongly recommend disabling this option, if you don't need to embed your notes in other pages.   |
+| `csp.allowPDFEmbed`           | `CMD_CSP_ALLOW_PDF_EMBED`      | **`true`** or `false`                                                                     | Disable to disallow embedding PDFs. For increased security, we recommend disabling this option.                                                                           |
 | `cookiePolicy`                | `CMD_COOKIE_POLICY`            | **`lax`**, `strict` or `none`                                                             | Set a SameSite policy whether cookies are send from cross-origin. Be careful: setting a SameSite value of none without https breaks the editor.                           | 
 
 ## Privacy and External Requests

lib/config/default.js

@@ -26,7 +26,8 @@ module.exports = {
     addGoogleAnalytics: false,
     upgradeInsecureRequests: 'auto',
     reportURI: undefined,
-    allowFraming: true
+    allowFraming: true,
+    allowPDFEmbed: true
   },
   cookiePolicy: 'lax',
   protocolUseSSL: false,

lib/config/environment.js

@@ -23,7 +23,8 @@ module.exports = {
     reportURI: process.env.CMD_CSP_REPORTURI,
     addDisqus: toBooleanConfig(process.env.CMD_CSP_ADD_DISQUS),
     addGoogleAnalytics: toBooleanConfig(process.env.CMD_CSP_ADD_GOOGLE_ANALYTICS),
-    allowFraming: toBooleanConfig(process.env.CMD_CSP_ALLOW_FRAMING)
+    allowFraming: toBooleanConfig(process.env.CMD_CSP_ALLOW_FRAMING),
+    allowPDFEmbed: toBooleanConfig(process.env.CMD_CSP_ALLOW_PDF_EMBED)
   },
   cookiePolicy: process.env.CMD_COOKIE_POLICY,
   protocolUseSSL: toBooleanConfig(process.env.CMD_PROTOCOL_USESSL),

lib/csp.js

@@ -49,6 +49,11 @@ const disallowFramingDirectives = {
   frameAncestors: ['\'self\'']
 }
 
+const allowPDFEmbedDirectives = {
+  objectSrc: ['*'], // Chrome and Firefox treat PDFs as objects
+  frameSrc: ['*'] // Chrome also checks PDFs against frame-src
+}
+
 CspStrategy.computeDirectives = function () {
   const directives = {}
   mergeDirectives(directives, config.csp.directives)
@@ -58,6 +63,7 @@ CspStrategy.computeDirectives = function () {
   mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
   mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)
   mergeDirectivesIf(!config.csp.allowFraming, directives, disallowFramingDirectives)
+  mergeDirectivesIf(config.csp.allowPDFEmbed, directives, allowPDFEmbedDirectives)
   addInlineScriptExceptions(directives)
   addUpgradeUnsafeRequestsOptionTo(directives)
   addReportURI(directives)