Merge branch 'main' of https://github.com/TriliumNext/Trilium

2025-11-26 02:24:23 +01:00 · 2025-11-24 10:56:43 +02:00 · 2025-11-24 10:56:43 +02:00 · c07ad348bd
commit c07ad348bd
parent d7ae2e4307 71b86b3cbc
3 changed files with 63 additions and 42 deletions
--- a/apps/server/src/app.ts
+++ b/apps/server/src/app.ts
@ -56,10 +56,19 @@ export default async function buildApp() {
        app.use(compression()); // HTTP compression
    }

+    let resourcePolicy = config["Network"]["corsResourcePolicy"] as 'same-origin' | 'same-site' | 'cross-origin' | undefined;
+    if(resourcePolicy !== 'same-origin' && resourcePolicy !== 'same-site' && resourcePolicy !== 'cross-origin') {
+        log.error(`Invalid CORS Resource Policy value: '${resourcePolicy}', defaulting to 'same-origin'`);
+        resourcePolicy = 'same-origin';
+    }
+
    app.use(
        helmet({
            hidePoweredBy: false, // errors out in electron
            contentSecurityPolicy: false,
+            crossOriginResourcePolicy: {
+                policy: resourcePolicy
+            },
            crossOriginEmbedderPolicy: false
        })
    );
--- a/apps/server/src/services/config.ts
+++ b/apps/server/src/services/config.ts
@ -97,6 +97,8 @@ export interface TriliumConfig {
        corsAllowMethods: string;
        /** CORS allowed headers (comma-separated header names) */
        corsAllowHeaders: string;
+        /** CORS Resource Policy ('same-origin', 'same-site', 'cross-origin') */
+        corsResourcePolicy: string;
    };
    /** Session management configuration */
    Session: {
@ -148,27 +150,27 @@ export const LOGGING_DEFAULT_RETENTION_DAYS = 90;
 * This interface defines how each configuration value is resolved from multiple sources.
 */
 interface ConfigValue<T> {
-    /** 
+    /**
     * Standard environment variable name following TRILIUM_[SECTION]_[KEY] pattern.
     * This is the primary way to override configuration via environment.
     */
    standardEnvVar?: string;
-    /** 
+    /**
     * Alternative environment variable names for additional flexibility.
     * These provide shorter or more intuitive names for common settings.
     */
    aliasEnvVars?: string[];
-    /** 
+    /**
     * Function to retrieve the value from the parsed INI configuration.
     * Returns undefined if the value is not set in config.ini.
     */
    iniGetter: () => IniConfigValue | IniConfigSection;
-    /** 
+    /**
     * Default value used when no environment variable or INI value is found.
     * This ensures every configuration has a sensible default.
     */
    defaultValue: T;
-    /** 
+    /**
     * Optional transformer function to convert string values to the correct type.
     * Common transformers handle boolean and integer conversions.
     */
@ -177,18 +179,18 @@ interface ConfigValue<T> {

 /**
 * Core configuration resolution function.
- * 
+ *
 * Resolves configuration values using a clear precedence order:
 * 1. Standard environment variable (highest priority) - Follows TRILIUM_[SECTION]_[KEY] pattern
 * 2. Alias environment variables - Alternative names for convenience and compatibility
 * 3. INI config file value - User-defined settings in config.ini
 * 4. Default value (lowest priority) - Fallback to ensure valid configuration
- * 
+ *
 * This precedence allows for flexible configuration management:
 * - Environment variables for container/cloud deployments
 * - config.ini for traditional installations
 * - Defaults ensure the application always has valid settings
- * 
+ *
 * @param config - Configuration value definition with sources and transformers
 * @returns The resolved configuration value with appropriate type
 */
@ -223,7 +225,7 @@ function getConfigValue<T>(config: ConfigValue<T>): T {
 * Helper function to safely access INI config sections.
 * The ini parser can return either a section object or a primitive value,
 * so we need to check the type before accessing nested properties.
- * 
+ *
 * @param sectionName - The name of the INI section to access
 * @returns The section object or undefined if not found or not an object
 */
@ -237,15 +239,15 @@ function getIniSection(sectionName: string): IniConfigSection | undefined {

 /**
 * Transform a value to boolean, handling various input formats.
- * 
+ *
 * This function provides flexible boolean parsing to handle different
 * configuration sources (environment variables, INI files, etc.):
 * - String "true"/"false" (case-insensitive)
- * - String "1"/"0" 
+ * - String "1"/"0"
 * - Numeric 1/0
 * - Actual boolean values
 * - Any other value defaults to false
- * 
+ *
 * @param value - The value to transform (string, number, boolean, etc.)
 * @returns The boolean value or false as default
 */
@ -253,28 +255,28 @@ function transformBoolean(value: unknown): boolean {
    // First try the standard envToBoolean function which handles "true"/"false" strings
    const result = envToBoolean(String(value));
    if (result !== undefined) return result;
-    
+
    // Handle numeric boolean values (both string and number types)
    if (value === "1" || value === 1) return true;
    if (value === "0" || value === 0) return false;
-    
+
    // Default to false for any other value
    return false;
 }

 /**
 * Complete configuration mapping that defines how each setting is resolved.
- * 
+ *
 * This mapping structure:
 * 1. Mirrors the INI file sections for consistency
 * 2. Defines multiple sources for each configuration value
 * 3. Provides type transformers where needed
 * 4. Maintains compatibility with various environment variable formats
- * 
+ *
 * Environment Variable Patterns:
 * - Standard: TRILIUM_[SECTION]_[KEY] (e.g., TRILIUM_GENERAL_INSTANCENAME)
 * - Aliases: Shorter alternatives (e.g., TRILIUM_OAUTH_BASE_URL)
- * 
+ *
 * Both patterns are equally valid and can be used based on preference.
 * The standard pattern provides consistency, while aliases offer convenience.
 */
@ -362,6 +364,12 @@ const configMapping = {
            aliasEnvVars: ['TRILIUM_NETWORK_CORS_ALLOW_HEADERS'],
            iniGetter: () => getIniSection("Network")?.corsAllowHeaders,
            defaultValue: ''
+        },
+        corsResourcePolicy: {
+            standardEnvVar: 'TRILIUM_NETWORK_CORSRESOURCEPOLICY',
+            aliasEnvVars: ['TRILIUM_NETWORK_CORS_RESOURCE_POLICY'],
+            iniGetter: () => getIniSection("Network")?.corsResourcePolicy,
+            defaultValue: 'same-origin' as 'same-origin' | 'same-site' | 'cross-origin'
        }
    },
    Session: {
@ -455,13 +463,13 @@ const configMapping = {

 /**
 * Build the final configuration object by resolving all values through the mapping.
- * 
+ *
 * This creates the runtime configuration used throughout the application by:
 * 1. Iterating through each section and key in the mapping
 * 2. Calling getConfigValue() to resolve each setting with proper precedence
 * 3. Applying type transformers where needed (booleans, integers)
 * 4. Returning a fully typed TriliumConfig object
- * 
+ *
 * The resulting config object is immutable at runtime and represents
 * the complete application configuration.
 */
@ -482,7 +490,8 @@ const config: TriliumConfig = {
        trustedReverseProxy: getConfigValue(configMapping.Network.trustedReverseProxy),
        corsAllowOrigin: getConfigValue(configMapping.Network.corsAllowOrigin),
        corsAllowMethods: getConfigValue(configMapping.Network.corsAllowMethods),
-        corsAllowHeaders: getConfigValue(configMapping.Network.corsAllowHeaders)
+        corsAllowHeaders: getConfigValue(configMapping.Network.corsAllowHeaders),
+        corsResourcePolicy: getConfigValue(configMapping.Network.corsResourcePolicy)
    },
    Session: {
        cookieMaxAge: getConfigValue(configMapping.Session.cookieMaxAge)
@ -509,26 +518,26 @@ const config: TriliumConfig = {
 * =====================================================================
 * ENVIRONMENT VARIABLE REFERENCE
 * =====================================================================
- * 
+ *
 * Trilium supports flexible environment variable configuration with multiple
 * naming patterns. Both formats below are equally valid and can be used
 * based on your preference.
- * 
+ *
 * CONFIGURATION PRECEDENCE:
 * 1. Environment variables (highest priority)
 * 2. config.ini file values
 * 3. Default values (lowest priority)
- * 
+ *
 * FULL FORMAT VARIABLES (following TRILIUM_[SECTION]_[KEY] pattern):
 * ====================================================================
- * 
+ *
 * General Section:
 * - TRILIUM_GENERAL_INSTANCENAME         : Custom instance identifier
 * - TRILIUM_GENERAL_NOAUTHENTICATION     : Disable auth (true/false)
 * - TRILIUM_GENERAL_NOBACKUP             : Disable backups (true/false)
 * - TRILIUM_GENERAL_NODESKTOPICON        : No desktop icon (true/false)
 * - TRILIUM_GENERAL_READONLY             : Read-only mode (true/false)
- * 
+ *
 * Network Section:
 * - TRILIUM_NETWORK_HOST                 : Bind address (e.g., "0.0.0.0")
 * - TRILIUM_NETWORK_PORT                 : Server port (e.g., "8080")
@ -539,15 +548,16 @@ const config: TriliumConfig = {
 * - TRILIUM_NETWORK_CORSALLOWORIGIN      : CORS allowed origins
 * - TRILIUM_NETWORK_CORSALLOWMETHODS     : CORS allowed HTTP methods
 * - TRILIUM_NETWORK_CORSALLOWHEADERS     : CORS allowed headers
- * 
+ * - TRILIUM_NETWORK_CORSRESOURCEPOLICY   : CORS Resource Policy
+ *
 * Session Section:
 * - TRILIUM_SESSION_COOKIEMAXAGE         : Cookie lifetime in seconds
- * 
+ *
 * Sync Section:
 * - TRILIUM_SYNC_SYNCSERVERHOST          : Sync server URL
 * - TRILIUM_SYNC_SYNCSERVERTIMEOUT       : Sync timeout in milliseconds
 * - TRILIUM_SYNC_SYNCPROXY               : Proxy URL for sync
- * 
+ *
 * Multi-Factor Authentication Section:
 * - TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHBASEURL       : OAuth base URL
 * - TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHCLIENTID      : OAuth client ID
@ -555,23 +565,24 @@ const config: TriliumConfig = {
 * - TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERBASEURL : OAuth issuer URL
 * - TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERNAME    : OAuth provider name
 * - TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERICON    : OAuth provider icon
- * 
+ *
 * Logging Section:
 * - TRILIUM_LOGGING_RETENTIONDAYS        : Log retention period in days
- * 
+ *
 * SHORTER ALTERNATIVE VARIABLES (equally valid, for convenience):
 * ================================================================
- * 
+ *
 * Network CORS (with underscores):
 * - TRILIUM_NETWORK_CORS_ALLOW_ORIGIN    : Same as TRILIUM_NETWORK_CORSALLOWORIGIN
 * - TRILIUM_NETWORK_CORS_ALLOW_METHODS   : Same as TRILIUM_NETWORK_CORSALLOWMETHODS
 * - TRILIUM_NETWORK_CORS_ALLOW_HEADERS   : Same as TRILIUM_NETWORK_CORSALLOWHEADERS
- * 
+ * - TRILIUM_NETWORK_CORS_RESOURCE_POLICY : Same as TRILIUM_NETWORK_CORSRESOURCEPOLICY
+ *
 * Sync (with SERVER prefix):
 * - TRILIUM_SYNC_SERVER_HOST             : Same as TRILIUM_SYNC_SYNCSERVERHOST
 * - TRILIUM_SYNC_SERVER_TIMEOUT          : Same as TRILIUM_SYNC_SYNCSERVERTIMEOUT
 * - TRILIUM_SYNC_SERVER_PROXY            : Same as TRILIUM_SYNC_SYNCPROXY
- * 
+ *
 * OAuth (simplified without section name):
 * - TRILIUM_OAUTH_BASE_URL               : Same as TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHBASEURL
 * - TRILIUM_OAUTH_CLIENT_ID              : Same as TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHCLIENTID
@ -579,14 +590,14 @@ const config: TriliumConfig = {
 * - TRILIUM_OAUTH_ISSUER_BASE_URL        : Same as TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERBASEURL
 * - TRILIUM_OAUTH_ISSUER_NAME            : Same as TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERNAME
 * - TRILIUM_OAUTH_ISSUER_ICON            : Same as TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERICON
- * 
+ *
 * Logging (with underscore):
 * - TRILIUM_LOGGING_RETENTION_DAYS       : Same as TRILIUM_LOGGING_RETENTIONDAYS
- * 
+ *
 * BOOLEAN VALUES:
 * - Accept: "true", "false", "1", "0", 1, 0
 * - Default to false for invalid values
- * 
+ *
 * EXAMPLES:
 * export TRILIUM_NETWORK_PORT="8080"                      # Using full format
 * export TRILIUM_OAUTH_CLIENT_ID="my-client-id"           # Using shorter alternative
@ -597,23 +608,23 @@ const config: TriliumConfig = {
 /**
 * The exported configuration object used throughout the Trilium application.
 * This object is resolved once at startup and remains immutable during runtime.
- * 
+ *
 * To override any setting:
 * 1. Set an environment variable (see documentation above)
 * 2. Edit config.ini in your data directory
 * 3. Defaults will be used if neither is provided
- * 
+ *
 * @example
 * // Accessing configuration in other modules:
 * import config from './services/config.js';
- * 
+ *
 * if (config.General.noAuthentication) {
 *     // Skip authentication checks
 * }
- * 
+ *
 * const server = https.createServer({
 *     cert: fs.readFileSync(config.Network.certPath),
 *     key: fs.readFileSync(config.Network.keyPath)
 * });
 */
-export default config;
+export default config;
--- a/Usage/Configuration
+++ b/Usage/Configuration
@ -49,6 +49,7 @@ Additionally, shorter aliases are available for common configurations (see Alter
 | `TRILIUM_NETWORK_CORSALLOWORIGIN` | string | ""  | CORS allowed origins |
 | `TRILIUM_NETWORK_CORSALLOWMETHODS` | string | ""  | CORS allowed methods |
 | `TRILIUM_NETWORK_CORSALLOWHEADERS` | string | ""  | CORS allowed headers |
+| `TRILIUM_NETWORK_CORSRESOURCEPOLICY` | string | same-origin | CORS Resource Policy allows same-origin/same-site/cross-origin as values, will error if not

 ### Session Section

@ -90,7 +91,7 @@ The following alternative environment variable names are also supported and work
 *   `TRILIUM_NETWORK_CORS_ALLOW_ORIGIN` (alternative to `TRILIUM_NETWORK_CORSALLOWORIGIN`)
 *   `TRILIUM_NETWORK_CORS_ALLOW_METHODS` (alternative to `TRILIUM_NETWORK_CORSALLOWMETHODS`)
 *   `TRILIUM_NETWORK_CORS_ALLOW_HEADERS` (alternative to `TRILIUM_NETWORK_CORSALLOWHEADERS`)
-
+*   `TRILIUM_NETWORK_CORS_RESOURCE_POLICY` (alternative to `TRILIUM_NETWORK_CORSRESOURCEPOLICY`)
 ### Sync Variables

 *   `TRILIUM_SYNC_SERVER_HOST` (alternative to `TRILIUM_SYNC_SYNCSERVERHOST`)