1/* 2 * Copyright (c) 2006-2020, JGraph Ltd 3 * 4 * This provides an indirection to make sure the mxClient.js 5 * loads before the dependent classes below are loaded. This 6 * is used for development mode where the JS is in separate 7 * files and the mxClient.js loads other files. 8 */ 9if (!mxIsElectron && location.protocol !== 'http:') 10{ 11 (function() 12 { 13 var hashes = 'default-src \'self\'; ' + 14 // storage.googleapis.com is needed for workbox-service-worker 15 'script-src %script-src% \'self\' https://viewer.diagrams.net https://storage.googleapis.com ' + 16 'https://apis.google.com https://*.pusher.com ' + 17 // Below are the SHAs of the two script blocks in index.html. 18 // These must be updated here and in the CDN after changes. 19 //----------------------------------------------------------// 20 //------------- Bootstrap script in index.html -------------// 21 //----------------------------------------------------------// 22 // Version 14.6.5 23 '\'sha256-5DtSB5mj34lxcEf+HFWbBLEF49xxJaKnWGDWa/utwQA=\' ' + 24 // Version 14.1.1 25 '\'sha256-8HtpzsH4zj5+RKfTWMxPmWJKBu0OYbn+WuPrLbVky+g=\' ' + 26 //---------------------------------------------------------// 27 //------------- App.main script in index.html -------------// 28 //---------------------------------------------------------// 29 // Version 13.8.2 30 '\'sha256-vS/MxlVD7nbY7AnV+0t1Ap338uF7vrcs7y23KjERhKc=\' ' + 31 //---------------------------------------------------------// 32 '; '; 33 34 var styleHashes = '\'sha256-JjkxVHHCCVO0nllPD6hU8bBYSlsikA8TM/o3fhr0bas=\' ' + // index.html 35 '\'sha256-VTG4NbRCx30lYCdLPlgZTrdTopzcdviOjAbS7nk+KbI=\' ' + // Minimal.js/Light 36 '\'sha256-mbkyvR7KVIpvb+DU65TAGUt3LYuyF2kUg8Ktoee8eY4=\' ' + // Minimal.js/Dark 37 '\'sha256-7kY8ozVqKLIIBwZ24dhdmZkM26PsOlZmEi72RhmZKoM=\' ' + // mxTooltipHandler.js 38 '\'sha256-01chdey79TzZe4ihnvvUXXI5y8MklIcKH+vzDdQvsuU=\' ' + // Editor.js/mathJaxWebkitCss 39 '\'sha256-fGbXK7EYpvNRPca81zPnqJHi2y+34KSgAcZv8mhaSzI=\' ' + // MathJax.js 40 '\'sha256-3hENQqEWUBxdkmJp2kQ2+G0F8NVGzFAVkW5vWDo7ONk=\' ' + // MathJax.js 41 '\'sha256-Z4u/cxrZPHjN20CIXZHTKr+VlqVxrWG8cbbeC2zmPqI=\' ' + // MathJax.js 42 '\'sha256-LDMABiyg2T48kuAV9ouqNCSEqf2OkUdlZK9D9CeZHBs=\' ' + // MathJax.js 43 '\'sha256-XQfwbaSNgLzro3IzkwT0uZLAiBvZzajo0QZx7oW158E=\' ' + // MathJax.js 44 '\'sha256-++XCePvZXKdegIqkwtbudr16Jx87KFh4t/t7UxsbHpw=\' ' + // MathJax.js 45 '\'sha256-v9NOL6IswMbY7zpRZjxkYujhuGRVvZtp1c1MfdnToB4=\' ' + // MathJax.js 46 '\'sha256-5xtuTr9UuyJoTQ76CNLzvSJjS7onwfq73B2rLWCl3aE=\' ' + // MathJax.js 47 '\'sha256-W21B506Ri8aGW3T87iawssPz71NvvbYZfBfzDbBSArU=\' ' + // MathJax.js 48 '\'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=\' ' + // spin.min.js 49 '\'sha256-nzHi23DROym7G011m6y0DyDd9mvQL2hSJ0Gy3g2T/5Q=\' ' + // dropins.js 50 '\'sha256-76P1PZLzT12kfw2hkrLn5vu/cWZgcOYuSYU3RT3rXKA=\' ' + // gapi 51 '\'unsafe-hashes\'; '; // Required for hashes for style attribute 52 53 var directives = 'connect-src %connect-src% \'self\' https://*.draw.io https://*.diagrams.net ' + 54 'https://*.googleapis.com wss://*.pusher.com https://*.pusher.com ' + 55 'https://api.github.com https://raw.githubusercontent.com https://gitlab.com ' + 56 'https://graph.microsoft.com https://*.sharepoint.com https://*.1drv.com https://api.onedrive.com ' + 57 'https://dl.dropboxusercontent.com ' + 58 'https://*.google.com https://fonts.gstatic.com https://fonts.googleapis.com; ' + 59 // font-src about: is required for MathJax HTML-CSS output with STIX 60 'img-src * data: blob:; media-src * data:; font-src * about:; ' + 61 // www.draw.io required for browser data migration to app.diagrams.net and 62 // viewer.diagrams.net required for iframe embed preview 63 'frame-src %frame-src% \'self\' https://viewer.diagrams.net https://www.draw.io https://*.google.com; ' + 64 'style-src %style-src% \'self\' https://fonts.googleapis.com ' + 65 // Replaces unsafe-inline style-src with hashes with safe-style-src URL parameter 66 ((urlParams['safe-style-src'] == '1') ? styleHashes : '\'unsafe-inline\'; ') + 67 'object-src \'none\';'; 68 69 var csp = hashes + directives; 70 var devCsp = csp. 71 // Adds script tags and loads shapes with eval 72 replace(/%script-src%/g, 'https://www.dropbox.com https://api.trello.com https://devhost.jgraph.com \'unsafe-eval\''). 73 // Adds Trello and Dropbox backend storage 74 replace(/%connect-src%/g, 'https://*.dropboxapi.com https://trello.com https://api.trello.com'). 75 // Loads common.css from mxgraph 76 replace(/%style-src%/g, 'https://devhost.jgraph.com'). 77 replace(/%frame-src%/g, ''). 78 replace(/ /g, ' '); 79 80 mxmeta(null, devCsp, 'Content-Security-Policy'); 81 82 if (urlParams['print-csp'] == '1') 83 { 84 console.log('Content-Security-Policy'); 85 var app_diagrams_net = csp.replace(/%script-src%/g, 'https://www.dropbox.com https://api.trello.com'). 86 replace(/%connect-src%/g, 'https://*.dropboxapi.com https://api.trello.com'). 87 replace(/%frame-src%/g, ''). 88 replace(/%style-src%/g, ''). 89 replace(/ /g, ' ') + ' frame-ancestors \'self\' https://teams.microsoft.com;'; 90 console.log('app.diagrams.net:', app_diagrams_net); 91 92 var se_diagrams_net = hashes.replace(/%script-src%/g, '') + 93 'connect-src \'self\' https://*.diagrams.net ' + 94 'https://*.googleapis.com wss://*.pusher.com https://*.pusher.com ' + 95 'https://*.google.com https://fonts.gstatic.com https://fonts.googleapis.com; ' + 96 'img-src * data: blob:; media-src * data:; font-src * about:; ' + 97 'frame-src \'self\' https://viewer.diagrams.net https://*.google.com; ' + 98 'style-src \'self\' https://fonts.googleapis.com ' + styleHashes + ' ' + 99 'object-src \'none\';' + 100 'form-action \'none\';' + 101 'base-uri \'none\';' + 102 'child-src \'none\';' + 103 'frame-src \'none\';' + 104 'worker-src https://se.diagrams.net/service-worker.js;' 105 console.log('se.diagrams.net:', se_diagrams_net); 106 107 // TODO remove https://ajax.googleapis.com April 2022. It's old jquery domain 108 var ac_draw_io = csp.replace(/%script-src%/g, 'https://aui-cdn.atlassian.com https://connect-cdn.atl-paas.net https://ajax.googleapis.com https://cdnjs.cloudflare.com'). 109 replace(/%frame-src%/g, 'https://www.lucidchart.com https://app.lucidchart.com https://lucid.app blob:'). 110 replace(/%style-src%/g, 'https://aui-cdn.atlassian.com https://*.atlassian.net'). 111 replace(/%connect-src%/g, ''). 112 replace(/ /g, ' '); 113 console.log('ac.draw.io:', ac_draw_io); 114 115 var aj_draw_io = csp.replace(/%script-src%/g, 'https://connect-cdn.atl-paas.net'). 116 replace(/%frame-src%/g, 'blob:'). 117 replace(/%style-src%/g, 'https://aui-cdn.atlassian.com https://*.atlassian.net'). 118 replace(/%connect-src%/g, 'https://api.atlassian.com https://api.media.atlassian.com'). 119 replace(/ /g, ' '); 120 console.log('aj.draw.io:', aj_draw_io); 121 122 console.log('import.diagrams.net:', 'default-src \'self\'; worker-src blob:; img-src \'self\' blob: data: https://www.lucidchart.com ' + 123 'https://app.lucidchart.com https://lucid.app; style-src \'self\' \'unsafe-inline\'; frame-src https://www.lucidchart.com https://app.lucidchart.com https://lucid.app;'); 124 console.log('Development:', devCsp); 125 126 console.log('Header Worker:', 'let securityHeaders =', JSON.stringify({ 127 online: { 128 "Content-Security-Policy" : app_diagrams_net, 129 "Permissions-Policy" : "microphone=()" 130 }, 131 se: { 132 "Content-Security-Policy" : se_diagrams_net, 133 "Permissions-Policy" : "microphone=()", 134 "Access-Control-Allow-Origin": "https://se.diagrams.net" 135 }, 136 teams: { 137 "Content-Security-Policy" : app_diagrams_net.replace(/ 'sha256-[^']+'/g, ''), 138 "Permissions-Policy" : "microphone=()" 139 }, 140 jira: { 141 "Content-Security-Policy" : aj_draw_io, 142 "Permissions-Policy" : "microphone=()" 143 }, 144 conf: { 145 "Content-Security-Policy" : ac_draw_io, 146 "Permissions-Policy" : "microphone=()" 147 } 148 }, null, 4)); 149 } 150 })(); 151} 152 153mxscript(drawDevUrl + 'js/cryptojs/aes.min.js'); 154mxscript(drawDevUrl + 'js/spin/spin.min.js'); 155mxscript(drawDevUrl + 'js/deflate/pako.min.js'); 156mxscript(drawDevUrl + 'js/deflate/base64.js'); 157mxscript(drawDevUrl + 'js/jscolor/jscolor.js'); 158mxscript(drawDevUrl + 'js/sanitizer/sanitizer.min.js'); 159mxscript(drawDevUrl + 'js/croppie/croppie.min.js'); 160mxscript(drawDevUrl + 'js/rough/rough.min.js'); 161 162// Uses grapheditor from devhost 163mxscript(geBasePath +'/Editor.js'); 164mxscript(geBasePath +'/EditorUi.js'); 165mxscript(geBasePath +'/Sidebar.js'); 166mxscript(geBasePath +'/Graph.js'); 167mxscript(geBasePath +'/Format.js'); 168mxscript(geBasePath +'/Shapes.js'); 169mxscript(geBasePath +'/Actions.js'); 170mxscript(geBasePath +'/Menus.js'); 171mxscript(geBasePath +'/Toolbar.js'); 172mxscript(geBasePath +'/Dialogs.js'); 173 174// Loads main classes 175mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar.js'); 176mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-ActiveDirectory.js'); 177mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Advanced.js'); 178mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-AlliedTelesis.js'); 179mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Android.js'); 180mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-ArchiMate.js'); 181mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-ArchiMate3.js'); 182mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Arrows2.js'); 183mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Atlassian.js'); 184mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-AWS.js'); 185mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-AWS3.js'); 186mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-AWS3D.js'); 187mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-AWS4.js'); 188mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-AWS4b.js'); 189mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Azure.js'); 190mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Azure2.js'); 191mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Basic.js'); 192mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Bootstrap.js'); 193mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-BPMN.js'); 194mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-C4.js'); 195mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Cabinet.js'); 196mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Cisco.js'); 197mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Cisco19.js'); 198mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-CiscoSafe.js'); 199mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Citrix.js'); 200mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Cumulus.js'); 201mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-DFD.js'); 202mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-EIP.js'); 203mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Electrical.js'); 204mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-ER.js'); 205mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Floorplan.js'); 206mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Flowchart.js'); 207mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-FluidPower.js'); 208mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-GCP.js'); 209mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-GCP2.js'); 210mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-GCP3.js'); 211mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Gmdl.js'); 212mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-IBM.js'); 213mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Infographic.js'); 214mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Ios.js'); 215mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Ios7.js'); 216mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Kubernetes.js'); 217mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-LeanMapping.js'); 218mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Mockup.js'); 219mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-MSCAE.js'); 220mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Network.js'); 221mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Office.js'); 222mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-PID.js'); 223mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Rack.js'); 224mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Signs.js'); 225mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Sitemap.js'); 226mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Sysml.js'); 227mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-ThreatModeling.js'); 228mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-UML25.js'); 229mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Veeam.js'); 230mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Veeam2.js'); 231mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-VVD.js'); 232mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-WebIcons.js'); 233 234mxscript(drawDevUrl + 'js/diagramly/util/mxJsCanvas.js'); 235mxscript(drawDevUrl + 'js/diagramly/util/mxAsyncCanvas.js'); 236 237mxscript(drawDevUrl + 'js/diagramly/DrawioFile.js'); 238mxscript(drawDevUrl + 'js/diagramly/LocalFile.js'); 239mxscript(drawDevUrl + 'js/diagramly/LocalLibrary.js'); 240mxscript(drawDevUrl + 'js/diagramly/StorageFile.js'); 241mxscript(drawDevUrl + 'js/diagramly/StorageLibrary.js'); 242mxscript(drawDevUrl + 'js/diagramly/RemoteFile.js'); 243mxscript(drawDevUrl + 'js/diagramly/RemoteLibrary.js'); 244mxscript(drawDevUrl + 'js/diagramly/EmbedFile.js'); 245mxscript(drawDevUrl + 'js/diagramly/Dialogs.js'); 246mxscript(drawDevUrl + 'js/diagramly/Editor.js'); 247mxscript(drawDevUrl + 'js/diagramly/EditorUi.js'); 248mxscript(drawDevUrl + 'js/diagramly/DiffSync.js'); 249mxscript(drawDevUrl + 'js/diagramly/Settings.js'); 250mxscript(drawDevUrl + 'js/diagramly/DrawioFileSync.js'); 251 252//Comments 253mxscript(drawDevUrl + 'js/diagramly/DrawioComment.js'); 254mxscript(drawDevUrl + 'js/diagramly/DriveComment.js'); 255 256// Excluded in base.min.js 257mxscript(drawDevUrl + 'js/diagramly/DrawioClient.js'); 258mxscript(drawDevUrl + 'js/diagramly/DrawioUser.js'); 259mxscript(drawDevUrl + 'js/diagramly/UrlLibrary.js'); 260mxscript(drawDevUrl + 'js/diagramly/DriveFile.js'); 261mxscript(drawDevUrl + 'js/diagramly/DriveLibrary.js'); 262mxscript(drawDevUrl + 'js/diagramly/DriveClient.js'); 263mxscript(drawDevUrl + 'js/diagramly/DropboxFile.js'); 264mxscript(drawDevUrl + 'js/diagramly/DropboxLibrary.js'); 265mxscript(drawDevUrl + 'js/diagramly/DropboxClient.js'); 266mxscript(drawDevUrl + 'js/diagramly/GitHubFile.js'); 267mxscript(drawDevUrl + 'js/diagramly/GitHubLibrary.js'); 268mxscript(drawDevUrl + 'js/diagramly/GitHubClient.js'); 269mxscript(drawDevUrl + 'js/diagramly/OneDriveFile.js'); 270mxscript(drawDevUrl + 'js/diagramly/OneDriveLibrary.js'); 271mxscript(drawDevUrl + 'js/diagramly/OneDriveClient.js'); 272mxscript(drawDevUrl + 'js/onedrive/mxODPicker.js'); 273mxscript(drawDevUrl + 'js/diagramly/TrelloFile.js'); 274mxscript(drawDevUrl + 'js/diagramly/TrelloLibrary.js'); 275mxscript(drawDevUrl + 'js/diagramly/TrelloClient.js'); 276mxscript(drawDevUrl + 'js/diagramly/GitLabFile.js'); 277mxscript(drawDevUrl + 'js/diagramly/GitLabLibrary.js'); 278mxscript(drawDevUrl + 'js/diagramly/GitLabClient.js'); 279mxscript(drawDevUrl + 'js/diagramly/NotionFile.js'); 280mxscript(drawDevUrl + 'js/diagramly/NotionLibrary.js'); 281mxscript(drawDevUrl + 'js/diagramly/NotionClient.js'); 282 283mxscript(drawDevUrl + 'js/diagramly/App.js'); 284mxscript(drawDevUrl + 'js/diagramly/Menus.js'); 285mxscript(drawDevUrl + 'js/diagramly/Pages.js'); 286mxscript(drawDevUrl + 'js/diagramly/Trees.js'); 287mxscript(drawDevUrl + 'js/diagramly/Minimal.js'); 288mxscript(drawDevUrl + 'js/diagramly/DistanceGuides.js'); 289mxscript(drawDevUrl + 'js/diagramly/mxRuler.js'); 290mxscript(drawDevUrl + 'js/diagramly/mxFreehand.js'); 291mxscript(drawDevUrl + 'js/diagramly/DevTools.js'); 292 293// Vsdx/vssx support 294mxscript(drawDevUrl + 'js/diagramly/vsdx/VsdxExport.js'); 295mxscript(drawDevUrl + 'js/diagramly/vsdx/mxVsdxCanvas2D.js'); 296mxscript(drawDevUrl + 'js/diagramly/vsdx/bmpDecoder.js'); 297mxscript(drawDevUrl + 'js/diagramly/vsdx/importer.js'); 298mxscript(drawDevUrl + 'js/jszip/jszip.min.js'); 299 300// GraphMl Import 301mxscript(drawDevUrl + 'js/diagramly/graphml/mxGraphMlCodec.js'); 302 303// P2P Collab 304mxscript(drawDevUrl + 'js/diagramly/P2PCollab.js'); 305 306// Org Chart Layout 307if (urlParams['orgChartDev'] == '1') 308{ 309 mxscript(drawDevUrl + 'js/orgchart/bridge.min.js'); 310 mxscript(drawDevUrl + 'js/orgchart/bridge.collections.min.js'); 311 mxscript(drawDevUrl + 'js/orgchart/OrgChart.Layout.min.js'); 312 mxscript(drawDevUrl + 'js/orgchart/mxOrgChartLayout.js'); 313}