wekan/server/policy.js

import { BrowserPolicy } from 'meteor/browser-policy-common';

Meteor.startup(() => {
  if (process.env.BROWSER_POLICY_ENABLED === 'true') {
    // Trusted URL that can embed Wekan in iFrame.
    const trusted = process.env.TRUSTED_URL;
    BrowserPolicy.framing.disallow();
    //Allow inline scripts, otherwise there is errors in browser/inspect/console
    //BrowserPolicy.content.disallowInlineScripts();
    //BrowserPolicy.content.disallowEval();
    //BrowserPolicy.content.allowInlineStyles();
    //BrowserPolicy.content.allowFontDataUrl();
    BrowserPolicy.framing.restrictToOrigin(trusted);
    //BrowserPolicy.content.allowScriptOrigin(trusted);
  } else {
    // Disable browser policy and allow all framing and including.
    // Use only at internal LAN, not at Internet.
    BrowserPolicy.framing.allowAll();
    //BrowserPolicy.content.allowDataUrlForAll();
  }

  // Allow all images from anywhere
  //BrowserPolicy.content.allowImageOrigin('*');

  // If Matomo URL is set, allow it.
  const matomoUrl = process.env.MATOMO_ADDRESS;
  if (matomoUrl) {
    //BrowserPolicy.content.allowScriptOrigin(matomoUrl);
    //BrowserPolicy.content.allowImageOrigin(matomoUrl);
  }
});
Integration of matomo with env vars 2018-07-27 18:08:09 +02:00			`import { BrowserPolicy } from 'meteor/browser-policy-common';`

			`Meteor.startup(() => {`
Prettier & eslint project style update 2019-06-28 12:52:09 -05:00			`if (process.env.BROWSER_POLICY_ENABLED === 'true') {`
- When Content Policy is enabled, allow one URL to have iframe that embeds Wekan - Add option to turn off Content Policy - Allow always in Wekan markdown <img src="any-image-url-here"> Thanks to xet7 ! Closes #1676 2018-08-13 19:24:07 +03:00			`// Trusted URL that can embed Wekan in iFrame.`
			`const trusted = process.env.TRUSTED_URL;`
			`BrowserPolicy.framing.disallow();`
- Content Policy: Allow inline scripts, otherwise there is errors in browser/inspect/console. - Set default matomo settings to disabled. Thanks to xet7 ! 2018-08-15 23:41:01 +03:00			`//Allow inline scripts, otherwise there is errors in browser/inspect/console`
			`//BrowserPolicy.content.disallowInlineScripts();`
- Use only framing policy, not all of content policy. - Fix Date and Time Formats are only US in every language. Thanks to xet7 ! Closes #1833 2018-08-16 14:29:38 +03:00			`//BrowserPolicy.content.disallowEval();`
			`//BrowserPolicy.content.allowInlineStyles();`
			`//BrowserPolicy.content.allowFontDataUrl();`
- When Content Policy is enabled, allow one URL to have iframe that embeds Wekan - Add option to turn off Content Policy - Allow always in Wekan markdown <img src="any-image-url-here"> Thanks to xet7 ! Closes #1676 2018-08-13 19:24:07 +03:00			`BrowserPolicy.framing.restrictToOrigin(trusted);`
- Use only framing policy, not all of content policy. - Fix Date and Time Formats are only US in every language. Thanks to xet7 ! Closes #1833 2018-08-16 14:29:38 +03:00			`//BrowserPolicy.content.allowScriptOrigin(trusted);`
Prettier & eslint project style update 2019-06-28 12:52:09 -05:00			`} else {`
- When Content Policy is enabled, allow one URL to have iframe that embeds Wekan - Add option to turn off Content Policy - Allow always in Wekan markdown <img src="any-image-url-here"> Thanks to xet7 ! Closes #1676 2018-08-13 19:24:07 +03:00			`// Disable browser policy and allow all framing and including.`
			`// Use only at internal LAN, not at Internet.`
			`BrowserPolicy.framing.allowAll();`
- Use only framing policy, not all of content policy. - Fix Date and Time Formats are only US in every language. Thanks to xet7 ! Closes #1833 2018-08-16 14:29:38 +03:00			`//BrowserPolicy.content.allowDataUrlForAll();`
- When Content Policy is enabled, allow one URL to have iframe that embeds Wekan - Add option to turn off Content Policy - Allow always in Wekan markdown <img src="any-image-url-here"> Thanks to xet7 ! Closes #1676 2018-08-13 19:24:07 +03:00			`}`

			`// Allow all images from anywhere`
- Use only framing policy, not all of content policy. - Fix Date and Time Formats are only US in every language. Thanks to xet7 ! Closes #1833 2018-08-16 14:29:38 +03:00			`//BrowserPolicy.content.allowImageOrigin('*');`
- When Content Policy is enabled, allow one URL to have iframe that embeds Wekan - Add option to turn off Content Policy - Allow always in Wekan markdown <img src="any-image-url-here"> Thanks to xet7 ! Closes #1676 2018-08-13 19:24:07 +03:00
			`// If Matomo URL is set, allow it.`
Integration of matomo with env vars 2018-07-27 18:08:09 +02:00			`const matomoUrl = process.env.MATOMO_ADDRESS;`
Prettier & eslint project style update 2019-06-28 12:52:09 -05:00			`if (matomoUrl) {`
- Use only framing policy, not all of content policy. - Fix Date and Time Formats are only US in every language. Thanks to xet7 ! Closes #1833 2018-08-16 14:29:38 +03:00			`//BrowserPolicy.content.allowScriptOrigin(matomoUrl);`
			`//BrowserPolicy.content.allowImageOrigin(matomoUrl);`
Integration of matomo with env vars 2018-07-27 18:08:09 +02:00			`}`
			`});`