diff --git a/lib/config/buildDomainOriginWithProtocol.js b/lib/config/buildDomainOriginWithProtocol.js
new file mode 100644
index 000000000..0a0ed8445
--- /dev/null
+++ b/lib/config/buildDomainOriginWithProtocol.js
@@ -0,0 +1,19 @@
+module.exports = {
+ buildDomainOriginWithProtocol: function (config, baseProtocol) {
+ const isStandardHTTPsPort = config.protocolUseSSL && config.port === 443
+ const isStandardHTTPPort = !config.protocolUseSSL && config.port === 80
+
+ if (!config.domain) {
+ return ''
+ }
+ let origin = ''
+ const protocol = baseProtocol + (config.protocolUseSSL ? 's' : '') + '://'
+ origin = protocol + config.domain
+ if (config.urlAddPort) {
+ if (!isStandardHTTPPort || !isStandardHTTPsPort) {
+ origin += ':' + config.port
+ }
+ }
+ return origin
+ }
+}
diff --git a/lib/config/index.js b/lib/config/index.js
index bdbdfea98..29cd84135 100644
--- a/lib/config/index.js
+++ b/lib/config/index.js
@@ -8,6 +8,7 @@ const deepFreeze = require('deep-freeze')
const { Environment, Permission } = require('./enum')
const logger = require('../logger')
const { getGitCommit, getGitHubURL } = require('./utils')
+const { buildDomainOriginWithProtocol } = require('./buildDomainOriginWithProtocol')
const appRootPath = path.resolve(__dirname, '../../')
const env = process.env.NODE_ENV || Environment.development
@@ -79,14 +80,6 @@ if (!(config.defaultPermission in config.permission)) {
config.defaultPermission = config.permission.editable
}
-// cache result, cannot change config in runtime!!!
-config.isStandardHTTPsPort = (function isStandardHTTPsPort () {
- return config.useSSL && config.port === 443
-})()
-config.isStandardHTTPPort = (function isStandardHTTPPort () {
- return !config.useSSL && config.port === 80
-})()
-
// Use HTTPS protocol if the internal TLS server is enabled
if (config.useSSL === true) {
if (config.protocolUseSSL === false) {
@@ -96,17 +89,8 @@ if (config.useSSL === true) {
}
// cache serverURL
-config.serverURL = (function getserverurl () {
- let url = ''
- if (config.domain) {
- const protocol = config.protocolUseSSL ? 'https://' : 'http://'
- url = protocol + config.domain
- if (config.urlAddPort) {
- if (!config.isStandardHTTPPort || !config.isStandardHTTPsPort) {
- url += ':' + config.port
- }
- }
- }
+config.serverURL = (function () {
+ let url = buildDomainOriginWithProtocol(config, 'http')
if (config.urlPath) {
url += '/' + config.urlPath
}
diff --git a/lib/csp.js b/lib/csp.js
index 00a9a5a7f..82573beaf 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -1,12 +1,13 @@
const config = require('./config')
const { v4: uuidv4 } = require('uuid')
+const { buildDomainOriginWithProtocol } = require('./config/buildDomainOriginWithProtocol')
const CspStrategy = {}
const defaultDirectives = {
defaultSrc: ['\'none\''],
baseUri: ['\'self\''],
- connectSrc: ['\'self\''],
+ connectSrc: ['\'self\'', buildDomainOriginWithProtocol(config, 'ws')],
fontSrc: ['\'self\''],
manifestSrc: ['\'self\''],
frameSrc: ['\'self\'', 'https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'],
diff --git a/public/docs/release-notes.md b/public/docs/release-notes.md
index b97d757c7..d1e8bf4a7 100644
--- a/public/docs/release-notes.md
+++ b/public/docs/release-notes.md
@@ -1,4 +1,9 @@
# Release Notes
+
+## Unreleased
+### Bugfixes
+- Add workaround for incorrect CSP handling in Safari
+
## 1.9.0 2021-09-13
### Security Fixes
- [CVE-2021-39175: XSS vector in slide mode speaker-view](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697)