diff options
-rw-r--r-- | lib/csp.js | 5 | ||||
-rw-r--r-- | public/js/index.js | 6 | ||||
-rw-r--r-- | test/csp.js | 15 |
3 files changed, 23 insertions, 3 deletions
@@ -32,6 +32,10 @@ var googleAnalyticsDirectives = { scriptSrc: ['https://www.google-analytics.com'] } +var dropboxDirectives = { + scriptSrc: ['https://www.dropbox.com', '\'unsafe-inline\''] +} + CspStrategy.computeDirectives = function () { var directives = {} mergeDirectives(directives, config.csp.directives) @@ -39,6 +43,7 @@ CspStrategy.computeDirectives = function () { mergeDirectivesIf(config.useCDN, directives, cdnDirectives) mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives) mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives) + mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives) if (!areAllInlineScriptsAllowed(directives)) { addInlineScriptExceptions(directives) } diff --git a/public/js/index.js b/public/js/index.js index ad20ffff..3eaba0ee 100644 --- a/public/js/index.js +++ b/public/js/index.js @@ -944,7 +944,8 @@ ui.toolbar.download.rawhtml.click(function (e) { // pdf ui.toolbar.download.pdf.attr('download', '').attr('href', noteurl + '/pdf') // export to dropbox -ui.toolbar.export.dropbox.click(function () { +ui.toolbar.export.dropbox.click(function (event) { + event.preventDefault() var filename = renderFilename(ui.area.markdown) + '.md' var options = { files: [ @@ -996,7 +997,8 @@ ui.toolbar.export.snippet.click(function () { }) }) // import from dropbox -ui.toolbar.import.dropbox.click(function () { +ui.toolbar.import.dropbox.click(function (event) { + event.preventDefault() var options = { success: function (files) { ui.spinner.show() diff --git a/test/csp.js b/test/csp.js index 8cf24b9a..d081cef0 100644 --- a/test/csp.js +++ b/test/csp.js @@ -27,7 +27,10 @@ describe('Content security policies', function () { upgradeInsecureRequests: 'auto', reportURI: undefined }, - useCDN: true + useCDN: true, + dropbox: { + appKey: undefined + } } }) @@ -78,6 +81,16 @@ describe('Content security policies', function () { assert(!csp.computeDirectives().fontSrc.includes('https://*.disquscdn.com')) }) + it('Include dropbox if configured', function () { + let testconfig = defaultConfig + testconfig.dropbox.appKey = 'hedgedoc' + mock('../lib/config', testconfig) + csp = mock.reRequire('../lib/csp') + + assert(csp.computeDirectives().scriptSrc.includes('https://www.dropbox.com')) + assert(csp.computeDirectives().scriptSrc.includes('\'unsafe-inline\'')) + }) + it('Set ReportURI', function () { let testconfig = defaultConfig testconfig.csp.reportURI = 'https://example.com/reportURI' |