mirror of
https://github.com/wekan/wekan.git
synced 2025-04-22 21:17:18 -04:00
b9929dc682
- Add option to turn off Content Policy - Allow always in Wekan markdown <img src="any-image-url-here"> Thanks to xet7 ! Closes #1676
33 lines
1.1 KiB
JavaScript
33 lines
1.1 KiB
JavaScript
import { BrowserPolicy } from 'meteor/browser-policy-common';
|
|
|
|
Meteor.startup(() => {
|
|
|
|
if ( process.env.BROWSER_POLICY_ENABLED === 'true' ) {
|
|
// Trusted URL that can embed Wekan in iFrame.
|
|
const trusted = process.env.TRUSTED_URL;
|
|
BrowserPolicy.framing.disallow();
|
|
BrowserPolicy.content.disallowInlineScripts();
|
|
BrowserPolicy.content.disallowEval();
|
|
BrowserPolicy.content.allowInlineStyles();
|
|
BrowserPolicy.content.allowFontDataUrl();
|
|
BrowserPolicy.framing.restrictToOrigin(trusted);
|
|
BrowserPolicy.content.allowScriptOrigin(trusted);
|
|
}
|
|
else {
|
|
// Disable browser policy and allow all framing and including.
|
|
// Use only at internal LAN, not at Internet.
|
|
BrowserPolicy.framing.allowAll();
|
|
BrowserPolicy.content.allowDataUrlForAll();
|
|
}
|
|
|
|
// Allow all images from anywhere
|
|
BrowserPolicy.content.allowImageOrigin('*');
|
|
|
|
// If Matomo URL is set, allow it.
|
|
const matomoUrl = process.env.MATOMO_ADDRESS;
|
|
if (matomoUrl){
|
|
BrowserPolicy.content.allowScriptOrigin(matomoUrl);
|
|
BrowserPolicy.content.allowImageOrigin(matomoUrl);
|
|
}
|
|
|
|
});
|