templates/etc/nginx/sites-available/cryptpad.j2

@@ -25,7 +25,7 @@
   add_header Access-Control-Allow-Origin "*";
 
   set $coop '';
- if ($uri ~ ^\/(sheet|presentation|doc)\/.*$) { set $coop 'same-origin'; }
+ if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
 
   # Enable SharedArrayBuffer in Firefox (for .xlsx export)
   add_header Cross-Origin-Resource-Policy cross-origin;
@@ -131,6 +131,13 @@
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header Host $host;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+    # These settings prevent both NGINX and the API server
+    # from setting the same headers and creating duplicates
+    proxy_hide_header Cross-Origin-Resource-Policy;
+    add_header Cross-Origin-Resource-Policy cross-origin;
+    proxy_hide_header Cross-Origin-Embedder-Policy;
+    add_header Cross-Origin-Embedder-Policy require-corp;
   }
 
   # encrypted blobs are immutable and are thus cached for a year
@@ -173,7 +180,7 @@
   # The nodejs server has some built-in forwarding rules to prevent
   # URLs like /pad from resulting in a 404. This simply adds a trailing slash
   # to a variety of applications.
-  location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc)$ {
+  location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert)$ {
       rewrite ^(.*)$ $1/ redirect;
   }
 {% endblock %}