gaschz/trilium
1
0
Fork 0
mirror of https://github.com/zadam/trilium.git synced 2025-11-26 02:24:23 +01:00
Code Issues Actions 11 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/TriliumNext/Trilium

Browse Source
This commit is contained in:
Elian Doran 2025-11-24 10:56:43 +02:00
commit c07ad348bd
No known key found for this signature in database
3 changed files with 63 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
apps/server/src/app.ts
View File

@ -56,10 +56,19 @@ export default async function buildApp() {
app.use(compression()); // HTTP compression app.use(compression()); // HTTP compression
} }
let resourcePolicy = config["Network"]["corsResourcePolicy"] as 'same-origin' | 'same-site' | 'cross-origin' | undefined;
if(resourcePolicy !== 'same-origin' && resourcePolicy !== 'same-site' && resourcePolicy !== 'cross-origin') {
log.error(`Invalid CORS Resource Policy value: '${resourcePolicy}', defaulting to 'same-origin'`);
resourcePolicy = 'same-origin';
}
app.use( app.use(
helmet({ helmet({
hidePoweredBy: false, // errors out in electron hidePoweredBy: false, // errors out in electron
contentSecurityPolicy: false, contentSecurityPolicy: false,
crossOriginResourcePolicy: {
policy: resourcePolicy
},
crossOriginEmbedderPolicy: false crossOriginEmbedderPolicy: false
}) })
); );

13
apps/server/src/services/config.ts
View File

@ -97,6 +97,8 @@ export interface TriliumConfig {
corsAllowMethods: string; corsAllowMethods: string;
/** CORS allowed headers (comma-separated header names) */ /** CORS allowed headers (comma-separated header names) */
corsAllowHeaders: string; corsAllowHeaders: string;
/** CORS Resource Policy ('same-origin', 'same-site', 'cross-origin') */
corsResourcePolicy: string;
}; };
/** Session management configuration */ /** Session management configuration */
Session: { Session: {
@ -362,6 +364,12 @@ const configMapping = {
aliasEnvVars: ['TRILIUM_NETWORK_CORS_ALLOW_HEADERS'], aliasEnvVars: ['TRILIUM_NETWORK_CORS_ALLOW_HEADERS'],
iniGetter: () => getIniSection("Network")?.corsAllowHeaders, iniGetter: () => getIniSection("Network")?.corsAllowHeaders,
defaultValue: '' defaultValue: ''
},
corsResourcePolicy: {
standardEnvVar: 'TRILIUM_NETWORK_CORSRESOURCEPOLICY',
aliasEnvVars: ['TRILIUM_NETWORK_CORS_RESOURCE_POLICY'],
iniGetter: () => getIniSection("Network")?.corsResourcePolicy,
defaultValue: 'same-origin' as 'same-origin' | 'same-site' | 'cross-origin'
} }
}, },
Session: { Session: {
@ -482,7 +490,8 @@ const config: TriliumConfig = {
trustedReverseProxy: getConfigValue(configMapping.Network.trustedReverseProxy), trustedReverseProxy: getConfigValue(configMapping.Network.trustedReverseProxy),
corsAllowOrigin: getConfigValue(configMapping.Network.corsAllowOrigin), corsAllowOrigin: getConfigValue(configMapping.Network.corsAllowOrigin),
corsAllowMethods: getConfigValue(configMapping.Network.corsAllowMethods), corsAllowMethods: getConfigValue(configMapping.Network.corsAllowMethods),
corsAllowHeaders: getConfigValue(configMapping.Network.corsAllowHeaders) corsAllowHeaders: getConfigValue(configMapping.Network.corsAllowHeaders),
corsResourcePolicy: getConfigValue(configMapping.Network.corsResourcePolicy)
}, },
Session: { Session: {
cookieMaxAge: getConfigValue(configMapping.Session.cookieMaxAge) cookieMaxAge: getConfigValue(configMapping.Session.cookieMaxAge)
@ -539,6 +548,7 @@ const config: TriliumConfig = {
* - TRILIUM_NETWORK_CORSALLOWORIGIN : CORS allowed origins * - TRILIUM_NETWORK_CORSALLOWORIGIN : CORS allowed origins
* - TRILIUM_NETWORK_CORSALLOWMETHODS : CORS allowed HTTP methods * - TRILIUM_NETWORK_CORSALLOWMETHODS : CORS allowed HTTP methods
* - TRILIUM_NETWORK_CORSALLOWHEADERS : CORS allowed headers * - TRILIUM_NETWORK_CORSALLOWHEADERS : CORS allowed headers
* - TRILIUM_NETWORK_CORSRESOURCEPOLICY : CORS Resource Policy
* *
* Session Section: * Session Section:
* - TRILIUM_SESSION_COOKIEMAXAGE : Cookie lifetime in seconds * - TRILIUM_SESSION_COOKIEMAXAGE : Cookie lifetime in seconds
@ -566,6 +576,7 @@ const config: TriliumConfig = {
* - TRILIUM_NETWORK_CORS_ALLOW_ORIGIN : Same as TRILIUM_NETWORK_CORSALLOWORIGIN * - TRILIUM_NETWORK_CORS_ALLOW_ORIGIN : Same as TRILIUM_NETWORK_CORSALLOWORIGIN
* - TRILIUM_NETWORK_CORS_ALLOW_METHODS : Same as TRILIUM_NETWORK_CORSALLOWMETHODS * - TRILIUM_NETWORK_CORS_ALLOW_METHODS : Same as TRILIUM_NETWORK_CORSALLOWMETHODS
* - TRILIUM_NETWORK_CORS_ALLOW_HEADERS : Same as TRILIUM_NETWORK_CORSALLOWHEADERS * - TRILIUM_NETWORK_CORS_ALLOW_HEADERS : Same as TRILIUM_NETWORK_CORSALLOWHEADERS
* - TRILIUM_NETWORK_CORS_RESOURCE_POLICY : Same as TRILIUM_NETWORK_CORSRESOURCEPOLICY
* *
* Sync (with SERVER prefix): * Sync (with SERVER prefix):
* - TRILIUM_SYNC_SERVER_HOST : Same as TRILIUM_SYNC_SYNCSERVERHOST * - TRILIUM_SYNC_SERVER_HOST : Same as TRILIUM_SYNC_SYNCSERVERHOST

3
docs/User Guide/User Guide/Advanced Usage/Configuration (config.ini or e.md vendored
View File

@ -49,6 +49,7 @@ Additionally, shorter aliases are available for common configurations (see Alter
| `TRILIUM_NETWORK_CORSALLOWORIGIN` | string | "" | CORS allowed origins | | `TRILIUM_NETWORK_CORSALLOWORIGIN` | string | "" | CORS allowed origins |
| `TRILIUM_NETWORK_CORSALLOWMETHODS` | string | "" | CORS allowed methods | | `TRILIUM_NETWORK_CORSALLOWMETHODS` | string | "" | CORS allowed methods |
| `TRILIUM_NETWORK_CORSALLOWHEADERS` | string | "" | CORS allowed headers | | `TRILIUM_NETWORK_CORSALLOWHEADERS` | string | "" | CORS allowed headers |
| `TRILIUM_NETWORK_CORSRESOURCEPOLICY` | string | same-origin | CORS Resource Policy allows same-origin/same-site/cross-origin as values, will error if not
### Session Section ### Session Section
@ -90,7 +91,7 @@ The following alternative environment variable names are also supported and work
* `TRILIUM_NETWORK_CORS_ALLOW_ORIGIN` (alternative to `TRILIUM_NETWORK_CORSALLOWORIGIN`) * `TRILIUM_NETWORK_CORS_ALLOW_ORIGIN` (alternative to `TRILIUM_NETWORK_CORSALLOWORIGIN`)
* `TRILIUM_NETWORK_CORS_ALLOW_METHODS` (alternative to `TRILIUM_NETWORK_CORSALLOWMETHODS`) * `TRILIUM_NETWORK_CORS_ALLOW_METHODS` (alternative to `TRILIUM_NETWORK_CORSALLOWMETHODS`)
* `TRILIUM_NETWORK_CORS_ALLOW_HEADERS` (alternative to `TRILIUM_NETWORK_CORSALLOWHEADERS`) * `TRILIUM_NETWORK_CORS_ALLOW_HEADERS` (alternative to `TRILIUM_NETWORK_CORSALLOWHEADERS`)
* `TRILIUM_NETWORK_CORS_RESOURCE_POLICY` (alternative to `TRILIUM_NETWORK_CORSRESOURCEPOLICY`)
### Sync Variables ### Sync Variables
* `TRILIUM_SYNC_SERVER_HOST` (alternative to `TRILIUM_SYNC_SYNCSERVERHOST`) * `TRILIUM_SYNC_SERVER_HOST` (alternative to `TRILIUM_SYNC_SYNCSERVERHOST`)