From d9adf598d8c1d41efab495d55404f24fa5c7cbe1 Mon Sep 17 00:00:00 2001
From: Erik Michelson
Date: Sun, 23 Aug 2020 01:11:31 +0200
Subject: Add dropbox CSP directive if configured and make button clickable

The lack of a 'preventDefault' on the click event handler resulted in the dropbox link being unclickable.
Furthermore because of a missing CSP rule, the dropbox script couldn't be loaded. The dropbox origin is now added to the CSP script sources if dropbox integration is configured.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
---
 lib/csp.js | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'lib')

diff --git a/lib/csp.js b/lib/csp.js
index fe8bea01..5c9c7b3d 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -32,6 +32,10 @@ var googleAnalyticsDirectives = {
   scriptSrc: ['https://www.google-analytics.com']
 }
 
+var dropboxDirectives = {
+  scriptSrc: ['https://www.dropbox.com']
+}
+
 CspStrategy.computeDirectives = function () {
   var directives = {}
   mergeDirectives(directives, config.csp.directives)
@@ -39,6 +43,7 @@ CspStrategy.computeDirectives = function () {
   mergeDirectivesIf(config.useCDN, directives, cdnDirectives)
   mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
   mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
+  mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)
   if (!areAllInlineScriptsAllowed(directives)) {
     addInlineScriptExceptions(directives)
   }
-- 
cgit v1.2.3


From 89322603600b399d6b77692b590cbf00948a6f4c Mon Sep 17 00:00:00 2001
From: Erik Michelson
Date: Sun, 23 Aug 2020 01:29:53 +0200
Subject: Add missing unsafe-inline CSP directive

Dropbox loads an external script that adds inline javascript. Therefore, this addition is needed when enabling dropbox support.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
---
 lib/csp.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/csp.js b/lib/csp.js
index 5c9c7b3d..24399436 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -33,7 +33,7 @@ var googleAnalyticsDirectives = {
 }
 
 var dropboxDirectives = {
-  scriptSrc: ['https://www.dropbox.com']
+  scriptSrc: ['https://www.dropbox.com', '\'unsafe-inline\'']
 }
 
 CspStrategy.computeDirectives = function () {
-- 
cgit v1.2.3