Merge pull request #87 from JJ-8/csp-fix-hotkey-in-iframe

Serve hotkeys-iframe.js from a path from Hedgedoc to circumvent CSP
JJ-8 · Mar 16, 2024 · 5de2ad2 · 5de2ad2
2 parents 91b6d31 + 3917e0f
commit 5de2ad2
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/front/nginx.conf b/front/nginx.conf
@@ -47,6 +47,12 @@ server {
         add_header Pragma "no-cache";
     }
 
+    # Due to the CSP of Hedgedoc, we need to serve the hotkeys-iframe.js file from here to allow execution
+    location /pad/js/hotkeys-iframe.js {
+        root /usr/share/nginx/html;
+        try_files $uri /hotkeys-iframe.js =404;
+    }
+
     location /pad/ {
         proxy_pass   http://hedgedoc:3000/;
         proxy_http_version 1.1;

diff --git a/front/src/pages/Task.vue b/front/src/pages/Task.vue
@@ -35,7 +35,7 @@ export default defineComponent({
         // inject hotkey script with some CTFNote code to catch hotkey for search dialog
         // and communicate that with the parent window
         const hotkeyScript = taskFrame.document.createElement('script');
-        hotkeyScript.src = '/hotkeys-iframe.js';
+        hotkeyScript.src = '/pad/js/hotkeys-iframe.js'; // this won't exist in development but will in production
         taskFrame.document.body.appendChild(hotkeyScript);
       });
     });