Merge branch 'main' of https://github.com/TriliumNext/Trilium

2025-11-26 02:24:23 +01:00 · 2025-11-24 10:56:43 +02:00 · 2025-11-24 10:56:43 +02:00 · c07ad348bd
commit c07ad348bd
parent d7ae2e4307 71b86b3cbc
3 changed files with 63 additions and 42 deletions
--- a/apps/server/src/app.ts
+++ b/apps/server/src/app.ts
@ -56,10 +56,19 @@ export default async function buildApp() {
        app.use(compression()); // HTTP compression
    }

+    let resourcePolicy = config["Network"]["corsResourcePolicy"] as 'same-origin' | 'same-site' | 'cross-origin' | undefined;
+    if(resourcePolicy !== 'same-origin' && resourcePolicy !== 'same-site' && resourcePolicy !== 'cross-origin') {
+        log.error(`Invalid CORS Resource Policy value: '${resourcePolicy}', defaulting to 'same-origin'`);
+        resourcePolicy = 'same-origin';
+    }
+
    app.use(
        helmet({
            hidePoweredBy: false, // errors out in electron
            contentSecurityPolicy: false,
+            crossOriginResourcePolicy: {
+                policy: resourcePolicy
+            },
            crossOriginEmbedderPolicy: false
        })
    );
--- a/apps/server/src/services/config.ts
+++ b/apps/server/src/services/config.ts
@ -97,6 +97,8 @@ export interface TriliumConfig {
        corsAllowMethods: string;
        /** CORS allowed headers (comma-separated header names) */
        corsAllowHeaders: string;
+        /** CORS Resource Policy ('same-origin', 'same-site', 'cross-origin') */
+        corsResourcePolicy: string;
    };
    /** Session management configuration */
    Session: {
@ -362,6 +364,12 @@ const configMapping = {
            aliasEnvVars: ['TRILIUM_NETWORK_CORS_ALLOW_HEADERS'],
            iniGetter: () => getIniSection("Network")?.corsAllowHeaders,
            defaultValue: ''
+        },
+        corsResourcePolicy: {
+            standardEnvVar: 'TRILIUM_NETWORK_CORSRESOURCEPOLICY',
+            aliasEnvVars: ['TRILIUM_NETWORK_CORS_RESOURCE_POLICY'],
+            iniGetter: () => getIniSection("Network")?.corsResourcePolicy,
+            defaultValue: 'same-origin' as 'same-origin' | 'same-site' | 'cross-origin'
        }
    },
    Session: {
@ -482,7 +490,8 @@ const config: TriliumConfig = {
        trustedReverseProxy: getConfigValue(configMapping.Network.trustedReverseProxy),
        corsAllowOrigin: getConfigValue(configMapping.Network.corsAllowOrigin),
        corsAllowMethods: getConfigValue(configMapping.Network.corsAllowMethods),
-        corsAllowHeaders: getConfigValue(configMapping.Network.corsAllowHeaders)
+        corsAllowHeaders: getConfigValue(configMapping.Network.corsAllowHeaders),
+        corsResourcePolicy: getConfigValue(configMapping.Network.corsResourcePolicy)
    },
    Session: {
        cookieMaxAge: getConfigValue(configMapping.Session.cookieMaxAge)
@ -539,6 +548,7 @@ const config: TriliumConfig = {
 * - TRILIUM_NETWORK_CORSALLOWORIGIN      : CORS allowed origins
 * - TRILIUM_NETWORK_CORSALLOWMETHODS     : CORS allowed HTTP methods
 * - TRILIUM_NETWORK_CORSALLOWHEADERS     : CORS allowed headers
+ * - TRILIUM_NETWORK_CORSRESOURCEPOLICY   : CORS Resource Policy
 *
 * Session Section:
 * - TRILIUM_SESSION_COOKIEMAXAGE         : Cookie lifetime in seconds
@ -566,6 +576,7 @@ const config: TriliumConfig = {
 * - TRILIUM_NETWORK_CORS_ALLOW_ORIGIN    : Same as TRILIUM_NETWORK_CORSALLOWORIGIN
 * - TRILIUM_NETWORK_CORS_ALLOW_METHODS   : Same as TRILIUM_NETWORK_CORSALLOWMETHODS
 * - TRILIUM_NETWORK_CORS_ALLOW_HEADERS   : Same as TRILIUM_NETWORK_CORSALLOWHEADERS
+ * - TRILIUM_NETWORK_CORS_RESOURCE_POLICY : Same as TRILIUM_NETWORK_CORSRESOURCEPOLICY
 *
 * Sync (with SERVER prefix):
 * - TRILIUM_SYNC_SERVER_HOST             : Same as TRILIUM_SYNC_SYNCSERVERHOST
--- a/Usage/Configuration
+++ b/Usage/Configuration
@ -49,6 +49,7 @@ Additionally, shorter aliases are available for common configurations (see Alter
 | `TRILIUM_NETWORK_CORSALLOWORIGIN` | string | ""  | CORS allowed origins |
 | `TRILIUM_NETWORK_CORSALLOWMETHODS` | string | ""  | CORS allowed methods |
 | `TRILIUM_NETWORK_CORSALLOWHEADERS` | string | ""  | CORS allowed headers |
+| `TRILIUM_NETWORK_CORSRESOURCEPOLICY` | string | same-origin | CORS Resource Policy allows same-origin/same-site/cross-origin as values, will error if not

 ### Session Section

@ -90,7 +91,7 @@ The following alternative environment variable names are also supported and work
 *   `TRILIUM_NETWORK_CORS_ALLOW_ORIGIN` (alternative to `TRILIUM_NETWORK_CORSALLOWORIGIN`)
 *   `TRILIUM_NETWORK_CORS_ALLOW_METHODS` (alternative to `TRILIUM_NETWORK_CORSALLOWMETHODS`)
 *   `TRILIUM_NETWORK_CORS_ALLOW_HEADERS` (alternative to `TRILIUM_NETWORK_CORSALLOWHEADERS`)
-
+*   `TRILIUM_NETWORK_CORS_RESOURCE_POLICY` (alternative to `TRILIUM_NETWORK_CORSRESOURCEPOLICY`)
 ### Sync Variables

 *   `TRILIUM_SYNC_SERVER_HOST` (alternative to `TRILIUM_SYNC_SYNCSERVERHOST`)