From d9adf598d8c1d41efab495d55404f24fa5c7cbe1 Mon Sep 17 00:00:00 2001 From: Erik Michelson Date: Sun, 23 Aug 2020 01:11:31 +0200 Subject: Add dropbox CSP directive if configured and make button clickable The lack of a 'preventDefault' on the click event handler resulted in the dropbox link being unclickable. Furthermore because of a missing CSP rule, the dropbox script couldn't be loaded. The dropbox origin is now added to the CSP script sources if dropbox integration is configured. Signed-off-by: Erik Michelson --- lib/csp.js | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lib') diff --git a/lib/csp.js b/lib/csp.js index fe8bea01..5c9c7b3d 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -32,6 +32,10 @@ var googleAnalyticsDirectives = { scriptSrc: ['https://www.google-analytics.com'] } +var dropboxDirectives = { + scriptSrc: ['https://www.dropbox.com'] +} + CspStrategy.computeDirectives = function () { var directives = {} mergeDirectives(directives, config.csp.directives) @@ -39,6 +43,7 @@ CspStrategy.computeDirectives = function () { mergeDirectivesIf(config.useCDN, directives, cdnDirectives) mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives) mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives) + mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives) if (!areAllInlineScriptsAllowed(directives)) { addInlineScriptExceptions(directives) } -- cgit v1.2.3 From 89322603600b399d6b77692b590cbf00948a6f4c Mon Sep 17 00:00:00 2001 From: Erik Michelson Date: Sun, 23 Aug 2020 01:29:53 +0200 Subject: Add missing unsafe-inline CSP directive Dropbox loads an external script that adds inline javascript. Therefore, this addition is needed when enabling dropbox support. Signed-off-by: Erik Michelson --- lib/csp.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/csp.js b/lib/csp.js index 5c9c7b3d..24399436 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -33,7 +33,7 @@ var googleAnalyticsDirectives = { } var dropboxDirectives = { - scriptSrc: ['https://www.dropbox.com'] + scriptSrc: ['https://www.dropbox.com', '\'unsafe-inline\''] } CspStrategy.computeDirectives = function () { -- cgit v1.2.3