From 3917e0f623c77e1bbfbf680b407f2299994f40b9 Mon Sep 17 00:00:00 2001
From: JJ-8 <34778827+JJ-8@users.noreply.github.com>
Date: Sat, 16 Mar 2024 22:25:47 +0100
Subject: [PATCH] Serve hotkeys-iframe.js from a path from Hedgedoc to
 circumvent CSP

The Hedgedoc CSP is a good thing to have enabled.
But it breaks the JS injection done by CTFNote.
So now we just lie to the frontend that the file is hosted by Hedgedoc while it actually is hosted by CTFNote.

This should circumvent the CSP and allow script execution inside the iframe, even when the CSP is enabled.
---
 front/nginx.conf         | 6 ++++++
 front/src/pages/Task.vue | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/front/nginx.conf b/front/nginx.conf
index 20e3f7f5..552f4481 100644
--- a/front/nginx.conf
+++ b/front/nginx.conf
@@ -47,6 +47,12 @@ server {
         add_header Pragma "no-cache";
     }
 
+    # Due to the CSP of Hedgedoc, we need to serve the hotkeys-iframe.js file from here to allow execution
+    location /pad/js/hotkeys-iframe.js {
+        root /usr/share/nginx/html;
+        try_files $uri /hotkeys-iframe.js =404;
+    }
+
     location /pad/ {
         proxy_pass   http://hedgedoc:3000/;
         proxy_http_version 1.1;
diff --git a/front/src/pages/Task.vue b/front/src/pages/Task.vue
index 60d59c23..59264619 100644
--- a/front/src/pages/Task.vue
+++ b/front/src/pages/Task.vue
@@ -35,7 +35,7 @@ export default defineComponent({
         // inject hotkey script with some CTFNote code to catch hotkey for search dialog
         // and communicate that with the parent window
         const hotkeyScript = taskFrame.document.createElement('script');
-        hotkeyScript.src = '/hotkeys-iframe.js';
+        hotkeyScript.src = '/pad/js/hotkeys-iframe.js'; // this won't exist in development but will in production
         taskFrame.document.body.appendChild(hotkeyScript);
       });
     });