You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openmeetings.apache.org by so...@apache.org on 2020/04/17 09:56:14 UTC
[openmeetings] branch master updated: [OPENMEETINGS-2247] connect-src is hacked for Safari

This is an automated email from the ASF dual-hosted git repository.

solomax pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/openmeetings.git


The following commit(s) were added to refs/heads/master by this push:
     new b70d682  [OPENMEETINGS-2247] connect-src is hacked for Safari
b70d682 is described below

commit b70d682d43409eccf8dac9ef49e834a20cc03bfd
Author: Maxim Solodovnik <so...@gmail.com>
AuthorDate: Fri Apr 17 16:55:52 2020 +0700

    [OPENMEETINGS-2247] connect-src is hacked for Safari
---
 .../java/org/apache/openmeetings/IApplication.java |  1 +
 .../db/dao/basic/ConfigurationDao.java             |  4 ++++
 .../apache/openmeetings/web/app/Application.java   | 28 ++++++++++++++++++++++
 3 files changed, 33 insertions(+)

diff --git a/openmeetings-db/src/main/java/org/apache/openmeetings/IApplication.java b/openmeetings-db/src/main/java/org/apache/openmeetings/IApplication.java
index 159f2cf..9eecb1f 100644
--- a/openmeetings-db/src/main/java/org/apache/openmeetings/IApplication.java
+++ b/openmeetings-db/src/main/java/org/apache/openmeetings/IApplication.java
@@ -48,4 +48,5 @@ public interface IApplication {
 
 	//WS
 	void publishWsTopic(IClusterWsMessage msg);
+	String getWsUrl();
 }
diff --git a/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/basic/ConfigurationDao.java b/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/basic/ConfigurationDao.java
index 65656cb..745029d 100644
--- a/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/basic/ConfigurationDao.java
+++ b/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/basic/ConfigurationDao.java
@@ -134,6 +134,7 @@ import org.apache.openjpa.event.RemoteCommitProvider;
 import org.apache.openjpa.event.TCPRemoteCommitProvider;
 import org.apache.openjpa.persistence.OpenJPAEntityManagerSPI;
 import org.apache.openjpa.persistence.OpenJPAPersistence;
+import org.apache.openmeetings.IApplication;
 import org.apache.openmeetings.db.dao.IDataProviderDao;
 import org.apache.openmeetings.db.dao.server.OAuth2Dao;
 import org.apache.openmeetings.db.dao.user.UserDao;
@@ -180,6 +181,8 @@ public class ConfigurationDao implements IDataProviderDao<Configuration> {
 	private UserDao userDao;
 	@Autowired
 	private OAuth2Dao oauthDao;
+	@Autowired
+	private IApplication app;
 
 	public void updateClusterAddresses(String addresses) throws UnknownHostException {
 		OpenJPAConfiguration cfg = ((OpenJPAEntityManagerSPI)OpenJPAPersistence.cast(em)).getConfiguration();
@@ -651,6 +654,7 @@ public class ConfigurationDao implements IDataProviderDao<Configuration> {
 			addCspRule(cspConfig, CSPDirective.MEDIA_SRC, getCspMediaSrc());
 			addCspRule(cspConfig, CSPDirective.SCRIPT_SRC, getCspScriptSrc());
 			addCspRule(cspConfig, CSPDirective.STYLE_SRC, getCspStyleSrc());
+			addCspRule(cspConfig, CSPDirective.CONNECT_SRC, app.getWsUrl(), false); // special code for Safari browser
 			if (!Strings.isEmpty(getGaCode())) {
 				// https://developers.google.com/tag-manager/web/csp#universal_analytics_google_analytics
 				addCspRule(cspConfig, CSPDirective.IMG_SRC, "https://www.google-analytics.com");
diff --git a/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java b/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java
index 7f81153..630a710 100644
--- a/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java
+++ b/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java
@@ -167,6 +167,7 @@ public class Application extends AuthenticatedWebApplication implements IApplica
 	final HazelcastInstance hazelcast = Hazelcast.getOrCreateHazelcastInstance(new XmlConfigBuilder().build());
 	private ITopic<IClusterWsMessage> hazelWsTopic;
 	private String serverId;
+	private String wsUrl;
 
 	@Autowired
 	private ApplicationContext ctx;
@@ -260,6 +261,12 @@ public class Application extends AuthenticatedWebApplication implements IApplica
 						wresp.setHeader("X-XSS-Protection", "1; mode=block");
 						wresp.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload");
 						wresp.setHeader("X-Content-Type-Options", "nosniff");
+						if (wsUrl == null) {
+							wsUrl = getWsUrl(cycle.getRequest().getUrl());
+							if (wsUrl != null) {
+								cfgDao.updateCsp();
+							}
+						}
 					}
 				}
 			}
@@ -616,4 +623,25 @@ public class Application extends AuthenticatedWebApplication implements IApplica
 	public void publishWsTopic(IClusterWsMessage msg) {
 		hazelWsTopic.publish(msg);
 	}
+
+	@Override
+	public String getWsUrl() {
+		return wsUrl;
+	}
+
+	private static String getWsUrl(Url reqUrl) {
+		if (!reqUrl.isFull()) {
+			return null;
+		}
+		final boolean insecure = "http".equalsIgnoreCase(reqUrl.getProtocol());
+		String delim = ":";
+		String port = reqUrl.getPort() == null || reqUrl.getPort() < 0 ? "" : String.valueOf(reqUrl.getPort());
+		if (!port.isEmpty() && ((insecure && 80 == reqUrl.getPort()) || (!insecure && 443 == reqUrl.getPort()))) {
+			port = "";
+		}
+		if (port.isEmpty()) {
+			delim = "";
+		}
+		return String.format("%s://%s%s%s", insecure ? "ws" : "wss", reqUrl.getHost(), delim, port);
+	}
 }