From d9adf598d8c1d41efab495d55404f24fa5c7cbe1 Mon Sep 17 00:00:00 2001 From: Erik Michelson Date: Sun, 23 Aug 2020 01:11:31 +0200 Subject: [PATCH 1/5] Add dropbox CSP directive if configured and make button clickable The lack of a 'preventDefault' on the click event handler resulted in the dropbox link being unclickable. Furthermore because of a missing CSP rule, the dropbox script couldn't be loaded. The dropbox origin is now added to the CSP script sources if dropbox integration is configured. Signed-off-by: Erik Michelson --- lib/csp.js | 5 +++++ public/js/index.js | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/csp.js b/lib/csp.js index fe8bea012..5c9c7b3d3 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -32,6 +32,10 @@ var googleAnalyticsDirectives = { scriptSrc: ['https://www.google-analytics.com'] } +var dropboxDirectives = { + scriptSrc: ['https://www.dropbox.com'] +} + CspStrategy.computeDirectives = function () { var directives = {} mergeDirectives(directives, config.csp.directives) @@ -39,6 +43,7 @@ CspStrategy.computeDirectives = function () { mergeDirectivesIf(config.useCDN, directives, cdnDirectives) mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives) mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives) + mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives) if (!areAllInlineScriptsAllowed(directives)) { addInlineScriptExceptions(directives) } diff --git a/public/js/index.js b/public/js/index.js index ad20ffffd..02e66490c 100644 --- a/public/js/index.js +++ b/public/js/index.js @@ -996,7 +996,8 @@ ui.toolbar.export.snippet.click(function () { }) }) // import from dropbox -ui.toolbar.import.dropbox.click(function () { +ui.toolbar.import.dropbox.click(function (event) { + event.preventDefault() var options = { success: function (files) { ui.spinner.show() From f821da6c0934ec1a7ee362b20612d936bd9cebd4 Mon Sep 17 00:00:00 2001 From: Erik Michelson Date: Sun, 23 Aug 2020 01:21:37 +0200 Subject: [PATCH 2/5] Add prevent default to export button too Signed-off-by: Erik Michelson --- public/js/index.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/public/js/index.js b/public/js/index.js index 02e66490c..3eaba0eeb 100644 --- a/public/js/index.js +++ b/public/js/index.js @@ -944,7 +944,8 @@ ui.toolbar.download.rawhtml.click(function (e) { // pdf ui.toolbar.download.pdf.attr('download', '').attr('href', noteurl + '/pdf') // export to dropbox -ui.toolbar.export.dropbox.click(function () { +ui.toolbar.export.dropbox.click(function (event) { + event.preventDefault() var filename = renderFilename(ui.area.markdown) + '.md' var options = { files: [ From 89322603600b399d6b77692b590cbf00948a6f4c Mon Sep 17 00:00:00 2001 From: Erik Michelson Date: Sun, 23 Aug 2020 01:29:53 +0200 Subject: [PATCH 3/5] Add missing unsafe-inline CSP directive Dropbox loads an external script that adds inline javascript. Therefore, this addition is needed when enabling dropbox support. Signed-off-by: Erik Michelson --- lib/csp.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/csp.js b/lib/csp.js index 5c9c7b3d3..243994361 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -33,7 +33,7 @@ var googleAnalyticsDirectives = { } var dropboxDirectives = { - scriptSrc: ['https://www.dropbox.com'] + scriptSrc: ['https://www.dropbox.com', '\'unsafe-inline\''] } CspStrategy.computeDirectives = function () { From 3115c472fb705de894739f574c2b0266f3fa3e0b Mon Sep 17 00:00:00 2001 From: Erik Michelson Date: Sun, 23 Aug 2020 01:35:45 +0200 Subject: [PATCH 4/5] Added dropbox.appKey to test config to fix failing tests Signed-off-by: Erik Michelson --- test/csp.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/test/csp.js b/test/csp.js index 8cf24b9a7..0b00ecbb0 100644 --- a/test/csp.js +++ b/test/csp.js @@ -27,7 +27,10 @@ describe('Content security policies', function () { upgradeInsecureRequests: 'auto', reportURI: undefined }, - useCDN: true + useCDN: true, + dropbox: { + appKey: undefined + } } }) From c2c28d3aeb4f3db92991bf77cd8e8dfa1be2268f Mon Sep 17 00:00:00 2001 From: Erik Michelson Date: Sun, 23 Aug 2020 01:41:55 +0200 Subject: [PATCH 5/5] Add test for dropbox csp rule Signed-off-by: Erik Michelson --- test/csp.js | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/test/csp.js b/test/csp.js index 0b00ecbb0..d081cef06 100644 --- a/test/csp.js +++ b/test/csp.js @@ -81,6 +81,16 @@ describe('Content security policies', function () { assert(!csp.computeDirectives().fontSrc.includes('https://*.disquscdn.com')) }) + it('Include dropbox if configured', function () { + let testconfig = defaultConfig + testconfig.dropbox.appKey = 'hedgedoc' + mock('../lib/config', testconfig) + csp = mock.reRequire('../lib/csp') + + assert(csp.computeDirectives().scriptSrc.includes('https://www.dropbox.com')) + assert(csp.computeDirectives().scriptSrc.includes('\'unsafe-inline\'')) + }) + it('Set ReportURI', function () { let testconfig = defaultConfig testconfig.csp.reportURI = 'https://example.com/reportURI'