bump to cryptpad 5.7.0 (#62)

Reviewed-on: #62
Reviewed-by: muppeth <muppeth@no-reply@disroot.org>
Co-authored-by: meaz <meaz@disroot.org>
Co-committed-by: meaz <meaz@disroot.org>

templates/etc/nginx/sites-available/cryptpad.j2

@@ -5,6 +5,10 @@
 {% extends "core.j2" %}
 
 {% block app_specific %}
+
+    # Include mime.types to be able to support .mjs files (see "types" below)
+    include mime.types;
+
     # CryptPad serves static assets over these two domains.
     # `main_domain` is what users will enter in their address bar.
     # Privileged computation such as key management is handled in this scope
@@ -113,11 +117,6 @@
     # We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope
     if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
 
-    # draw.io uses inline script tags in it's index.html. The hashes are added here.
-    if ($uri ~ ^\/components\/drawio\/src\/main\/webapp\/index.html.*$) {
-        set $scriptSrc "'self' 'sha256-dLMFD7ijAw6AVaqecS7kbPcFFzkxQ+yeZSsKpOdLxps=' 'sha256-6g514VrT/cZFZltSaKxIVNFF46+MFaTSDTPB8WfYK+c=' resource: https://${main_domain}";
-    }
-
     # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
     if ($unsafe) {
         set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
@@ -126,6 +125,11 @@
     # Finally, set all the rules you composed above.
     add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
 
+    # Add support for .mjs files used by pdfjs
+    types {
+        application/javascript mjs;
+    }
+
 {% endblock %}
 
 {% block root %}