httpSafePort is not loaded from config when httpSafeOrigin is set

[gramakri]

Describe the bug
When httpSafeOrigin is set in config.js, httpSafePort is not initialized properly in env.js.

Where did it happen?
I am packaging CryptPad for Cloudron. Found this when making the package.

To Reproduce
Have a config.js like below:

    httpSafeOrigin: `https://some.domain.com`,
    httpSafePort: 3001,

CryptPad does not listen on port 3001 as expected from above config.

Expected behavior
httpSafePort must be loaded from config.

[gramakri]

The issue is in env.js at https://github.com/xwiki-labs/cryptpad/blob/main/lib/env.js#L54

    var httpSafePort;
    var httpPort = isValidPort(config.httpPort)? config.httpPort: 3000;

    if (typeof(config.httpSafeOrigin) !== 'string') {
        NO_SANDBOX = true;
        if (typeof(config.httpSafePort) !== 'number') { httpSafePort = httpPort + 1; }
        httpSafeOrigin = deriveSandboxOrigin(httpUnsafeOrigin, httpSafePort);
    } else {
        httpSafeOrigin = canonicalizeOrigin(config.httpSafeOrigin);
    }

httpSafePort starts out above as undefined. When config.httpSafeOrigin is a string, the value of httpSafePort is not set. This then means that the server.js logic does not listen on port 3001 at all.

[gramakri]

I add a line to initialize it like:

    } else {
        httpSafePort = config.httpSafePort;
        httpSafeOrigin = canonicalizeOrigin(config.httpSafeOrigin);
    }

and this makes CryptPad listen on port 3001 and serve secure assets on the safe domain.

[ansuz]

Hi,

I suspect you're trying to host CryptPad in way that we didn't anticipate. This comment in the example configuration file indicates that you probably don't need to change the value of httpSafePort.

We expect that in a production environment the static content for both the main and sandbox domains will be served via a reverse proxy (we recommend NGINX). Only the websocket and /api/* traffic should be forwarded to the API server, and that can be proxied to httpPort.

The served content is not more secure because of the port used in the backend, but because browsers impose restrictions on interacting with content that was loaded from a different origin (as specified by httpSafeOrigin).

If you can describe your use case and under what conditions it's necessary to listen on this port I'd be happy to reconsider, but as it stands I don't consider this a bug.

[gramakri]

Thanks for your comment @ansuz .

For some background, I have made a Cloudron package now. You can try it at https://my.demo.cloudron.io (username and password is 'cloudron'). The package itself is at https://git.cloudron.io/cloudron/cryptpad-app . It's basically Dockerfile with some restrictions.

After reading your comment on nginx, I have gone ahead and integrated nginx into the package, so I don't actually need this fixed anymore. I understand better now that the security here comes from the CSP policy in the sandbox domain and not by splitting the routes in the backend.

For future reference: my initial idea was to set things up without having nginx in the front. So, I was looking for a configuration where cryptpad listens on 2 separate ports (3000 and 3001). With this setup, nginx does split routing to port 3000 and 3001 (unlike your sample nginx config which relies on port 3000 only). I suspect this setup is not correctly working because the value of httpSafePort is not read from the config when httpSafeOrigin is set as a string.