From 4898fe7ebc4e249e487a84b81cf2730cb24ced33 Mon Sep 17 00:00:00 2001
From: Aditya Bansal <adi.bansal241996@gmail.com>
Date: Mon, 16 Apr 2018 16:08:27 +0530
Subject: [PATCH] uploads: Change Content-Security-Policy to fix issue with
 pdf's.

Our recent addition of Content-Security-Policy to the file uploads
backend broke in-browser previews of PDFs.

The content-types change in the last commit fixed loading PDFs for
most users; but the result was ugly, because e.g. Chrome would put the
PDF previewer into a frame (so there were 2 left scrollbars).

There were two changes needed to fix this:
* Loading the style to use the plugin.  We corrected this by adding
  `style-src 'self' 'unsafe-inline';`
* Loading the plugin.  Our CSP blocked loading the PDf viewer plugin.
  To correct this, we add object-src 'self', and then limit the
  plugin-type to just the one for application/pdf.

We verified this new CSP using https://csp-evaluator.withgoogle.com/
in addition to manual testing.
---
 .../zulip/files/nginx/zulip-include-maybe/uploads-route.direct  | 2 +-
 .../files/nginx/zulip-include-maybe/uploads-route.internal      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.direct b/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.direct
index 3cbaa72f52..329250cbcc 100644
--- a/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.direct
+++ b/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.direct
@@ -1,6 +1,6 @@
 location /user_uploads {
     add_header X-Content-Type-Options nosniff;
-    add_header Content-Security-Policy "default-src 'none' img-src 'self'";
+    add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;";
     include /etc/nginx/zulip-include/uploads.types;
     alias /home/zulip/uploads/files;
 }
diff --git a/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.internal b/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.internal
index 9b656bafe1..6bad36e825 100644
--- a/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.internal
+++ b/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.internal
@@ -1,7 +1,7 @@
 location /serve_uploads {
     internal;
     add_header X-Content-Type-Options nosniff;
-    add_header Content-Security-Policy "default-src 'none' img-src 'self'";
+    add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;";
     include /etc/nginx/zulip-include/uploads.types;
     alias /home/zulip/uploads/files;
 }