1/*
2 * Copyright (c) 2006-2020, JGraph Ltd
3 *
4 * This provides an indirection to make sure the mxClient.js
5 * loads before the dependent classes below are loaded. This
6 * is used for development mode where the JS is in separate
7 * files and the mxClient.js loads other files.
8 */
9if (!mxIsElectron && location.protocol !== 'http:')
10{
11	(function()
12	{
13		var hashes = 'default-src \'self\'; ' +
14			// storage.googleapis.com is needed for workbox-service-worker
15			'script-src %script-src% \'self\' https://viewer.diagrams.net https://storage.googleapis.com ' +
16			'https://apis.google.com https://*.pusher.com ' +
17			// Below are the SHAs of the two script blocks in index.html.
18			// These must be updated here and in the CDN after changes.
19			//----------------------------------------------------------//
20			//------------- Bootstrap script in index.html -------------//
21			//----------------------------------------------------------//
22			// Version 14.6.5
23			'\'sha256-5DtSB5mj34lxcEf+HFWbBLEF49xxJaKnWGDWa/utwQA=\' ' +
24			// Version 14.1.1
25			'\'sha256-8HtpzsH4zj5+RKfTWMxPmWJKBu0OYbn+WuPrLbVky+g=\' ' +
26			//---------------------------------------------------------//
27			//------------- App.main script in index.html -------------//
28			//---------------------------------------------------------//
29			// Version 13.8.2
30			'\'sha256-vS/MxlVD7nbY7AnV+0t1Ap338uF7vrcs7y23KjERhKc=\' ' +
31			//---------------------------------------------------------//
32			'; ';
33
34		var styleHashes = '\'sha256-JjkxVHHCCVO0nllPD6hU8bBYSlsikA8TM/o3fhr0bas=\' ' + // index.html
35			'\'sha256-VTG4NbRCx30lYCdLPlgZTrdTopzcdviOjAbS7nk+KbI=\' ' + // Minimal.js/Light
36			'\'sha256-mbkyvR7KVIpvb+DU65TAGUt3LYuyF2kUg8Ktoee8eY4=\' ' + // Minimal.js/Dark
37			'\'sha256-7kY8ozVqKLIIBwZ24dhdmZkM26PsOlZmEi72RhmZKoM=\' ' + // mxTooltipHandler.js
38			'\'sha256-01chdey79TzZe4ihnvvUXXI5y8MklIcKH+vzDdQvsuU=\' ' + // Editor.js/mathJaxWebkitCss
39			'\'sha256-fGbXK7EYpvNRPca81zPnqJHi2y+34KSgAcZv8mhaSzI=\' ' + // MathJax.js
40			'\'sha256-3hENQqEWUBxdkmJp2kQ2+G0F8NVGzFAVkW5vWDo7ONk=\' ' + // MathJax.js
41			'\'sha256-Z4u/cxrZPHjN20CIXZHTKr+VlqVxrWG8cbbeC2zmPqI=\' ' + // MathJax.js
42			'\'sha256-LDMABiyg2T48kuAV9ouqNCSEqf2OkUdlZK9D9CeZHBs=\' ' + // MathJax.js
43			'\'sha256-XQfwbaSNgLzro3IzkwT0uZLAiBvZzajo0QZx7oW158E=\' ' + // MathJax.js
44			'\'sha256-++XCePvZXKdegIqkwtbudr16Jx87KFh4t/t7UxsbHpw=\' ' + // MathJax.js
45			'\'sha256-v9NOL6IswMbY7zpRZjxkYujhuGRVvZtp1c1MfdnToB4=\' ' + // MathJax.js
46			'\'sha256-5xtuTr9UuyJoTQ76CNLzvSJjS7onwfq73B2rLWCl3aE=\' ' + // MathJax.js
47			'\'sha256-W21B506Ri8aGW3T87iawssPz71NvvbYZfBfzDbBSArU=\' ' + // MathJax.js
48			'\'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=\' ' + // spin.min.js
49			'\'sha256-nzHi23DROym7G011m6y0DyDd9mvQL2hSJ0Gy3g2T/5Q=\' ' + // dropins.js
50			'\'sha256-76P1PZLzT12kfw2hkrLn5vu/cWZgcOYuSYU3RT3rXKA=\' ' + // gapi
51			'\'unsafe-hashes\'; '; // Required for hashes for style attribute
52
53		var directives = 'connect-src %connect-src% \'self\' https://*.draw.io https://*.diagrams.net ' +
54			'https://*.googleapis.com wss://*.pusher.com https://*.pusher.com ' +
55			'https://api.github.com https://raw.githubusercontent.com https://gitlab.com ' +
56			'https://graph.microsoft.com https://*.sharepoint.com  https://*.1drv.com https://api.onedrive.com ' +
57			'https://dl.dropboxusercontent.com ' +
58			'https://*.google.com https://fonts.gstatic.com https://fonts.googleapis.com; ' +
59			// font-src about: is required for MathJax HTML-CSS output with STIX
60			'img-src * data: blob:; media-src * data:; font-src * about:; ' +
61			// www.draw.io required for browser data migration to app.diagrams.net and
62			// viewer.diagrams.net required for iframe embed preview
63			'frame-src %frame-src% \'self\' https://viewer.diagrams.net https://www.draw.io https://*.google.com; ' +
64			'style-src %style-src% \'self\'  https://fonts.googleapis.com ' +
65			// Replaces unsafe-inline style-src with hashes with safe-style-src URL parameter
66			((urlParams['safe-style-src'] == '1') ? styleHashes : '\'unsafe-inline\'; ') +
67			'object-src \'none\';';
68
69		var csp = hashes + directives;
70		var devCsp = csp.
71			// Adds script tags and loads shapes with eval
72			replace(/%script-src%/g, 'https://www.dropbox.com https://api.trello.com https://devhost.jgraph.com \'unsafe-eval\'').
73			// Adds Trello and Dropbox backend storage
74			replace(/%connect-src%/g, 'https://*.dropboxapi.com https://trello.com https://api.trello.com').
75			// Loads common.css from mxgraph
76			replace(/%style-src%/g, 'https://devhost.jgraph.com').
77			replace(/%frame-src%/g, '').
78			replace(/  /g, ' ');
79
80		mxmeta(null, devCsp, 'Content-Security-Policy');
81
82		if (urlParams['print-csp'] == '1')
83		{
84			console.log('Content-Security-Policy');
85			var app_diagrams_net = csp.replace(/%script-src%/g, 'https://www.dropbox.com https://api.trello.com').
86				replace(/%connect-src%/g, 'https://*.dropboxapi.com https://api.trello.com').
87				replace(/%frame-src%/g, '').
88					replace(/%style-src%/g, '').
89					replace(/  /g, ' ') + ' frame-ancestors \'self\' https://teams.microsoft.com;';
90			console.log('app.diagrams.net:', app_diagrams_net);
91
92			var se_diagrams_net = hashes.replace(/%script-src%/g, '') +
93				'connect-src \'self\' https://*.diagrams.net ' +
94				'https://*.googleapis.com wss://*.pusher.com https://*.pusher.com ' +
95				'https://*.google.com https://fonts.gstatic.com https://fonts.googleapis.com; ' +
96				'img-src * data: blob:; media-src * data:; font-src * about:; ' +
97				'frame-src \'self\' https://viewer.diagrams.net https://*.google.com; ' +
98				'style-src \'self\' https://fonts.googleapis.com ' + styleHashes + ' ' +
99				'object-src \'none\';' +
100				'form-action \'none\';' +
101				'base-uri \'none\';' +
102				'child-src \'none\';' +
103				'frame-src \'none\';' +
104				'worker-src https://se.diagrams.net/service-worker.js;'
105			console.log('se.diagrams.net:', se_diagrams_net);
106
107			// TODO remove https://ajax.googleapis.com April 2022. It's old jquery domain
108			var ac_draw_io = csp.replace(/%script-src%/g, 'https://aui-cdn.atlassian.com https://connect-cdn.atl-paas.net https://ajax.googleapis.com https://cdnjs.cloudflare.com').
109					replace(/%frame-src%/g, 'https://www.lucidchart.com https://app.lucidchart.com https://lucid.app blob:').
110					replace(/%style-src%/g, 'https://aui-cdn.atlassian.com https://*.atlassian.net').
111					replace(/%connect-src%/g, '').
112					replace(/  /g, ' ');
113			console.log('ac.draw.io:', ac_draw_io);
114
115			var aj_draw_io = csp.replace(/%script-src%/g, 'https://connect-cdn.atl-paas.net').
116					replace(/%frame-src%/g, 'blob:').
117					replace(/%style-src%/g, 'https://aui-cdn.atlassian.com https://*.atlassian.net').
118					replace(/%connect-src%/g, 'https://api.atlassian.com https://api.media.atlassian.com').
119					replace(/  /g, ' ');
120			console.log('aj.draw.io:', aj_draw_io);
121
122			console.log('import.diagrams.net:', 'default-src \'self\'; worker-src blob:; img-src \'self\' blob: data: https://www.lucidchart.com ' +
123					'https://app.lucidchart.com https://lucid.app; style-src \'self\' \'unsafe-inline\'; frame-src https://www.lucidchart.com https://app.lucidchart.com https://lucid.app;');
124			console.log('Development:', devCsp);
125
126			console.log('Header Worker:', 'let securityHeaders =', JSON.stringify({
127				online: {
128					"Content-Security-Policy" : app_diagrams_net,
129					"Permissions-Policy" : "microphone=()"
130				},
131				se: {
132					"Content-Security-Policy" : se_diagrams_net,
133					"Permissions-Policy" : "microphone=()",
134					"Access-Control-Allow-Origin": "https://se.diagrams.net"
135				},
136				teams: {
137					"Content-Security-Policy" : app_diagrams_net.replace(/ 'sha256-[^']+'/g, ''),
138					"Permissions-Policy" : "microphone=()"
139				},
140				jira: {
141					"Content-Security-Policy" : aj_draw_io,
142					"Permissions-Policy" : "microphone=()"
143				},
144				conf: {
145					"Content-Security-Policy" : ac_draw_io,
146					"Permissions-Policy" : "microphone=()"
147				}
148			}, null, 4));
149		}
150	})();
151}
152
153mxscript(drawDevUrl + 'js/cryptojs/aes.min.js');
154mxscript(drawDevUrl + 'js/spin/spin.min.js');
155mxscript(drawDevUrl + 'js/deflate/pako.min.js');
156mxscript(drawDevUrl + 'js/deflate/base64.js');
157mxscript(drawDevUrl + 'js/jscolor/jscolor.js');
158mxscript(drawDevUrl + 'js/sanitizer/sanitizer.min.js');
159mxscript(drawDevUrl + 'js/croppie/croppie.min.js');
160mxscript(drawDevUrl + 'js/rough/rough.min.js');
161
162// Uses grapheditor from devhost
163mxscript(geBasePath +'/Editor.js');
164mxscript(geBasePath +'/EditorUi.js');
165mxscript(geBasePath +'/Sidebar.js');
166mxscript(geBasePath +'/Graph.js');
167mxscript(geBasePath +'/Format.js');
168mxscript(geBasePath +'/Shapes.js');
169mxscript(geBasePath +'/Actions.js');
170mxscript(geBasePath +'/Menus.js');
171mxscript(geBasePath +'/Toolbar.js');
172mxscript(geBasePath +'/Dialogs.js');
173
174// Loads main classes
175mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar.js');
176mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-ActiveDirectory.js');
177mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Advanced.js');
178mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-AlliedTelesis.js');
179mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Android.js');
180mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-ArchiMate.js');
181mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-ArchiMate3.js');
182mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Arrows2.js');
183mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Atlassian.js');
184mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-AWS.js');
185mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-AWS3.js');
186mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-AWS3D.js');
187mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-AWS4.js');
188mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-AWS4b.js');
189mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Azure.js');
190mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Azure2.js');
191mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Basic.js');
192mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Bootstrap.js');
193mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-BPMN.js');
194mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-C4.js');
195mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Cabinet.js');
196mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Cisco.js');
197mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Cisco19.js');
198mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-CiscoSafe.js');
199mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Citrix.js');
200mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Cumulus.js');
201mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-DFD.js');
202mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-EIP.js');
203mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Electrical.js');
204mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-ER.js');
205mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Floorplan.js');
206mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Flowchart.js');
207mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-FluidPower.js');
208mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-GCP.js');
209mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-GCP2.js');
210mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-GCP3.js');
211mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Gmdl.js');
212mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-IBM.js');
213mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Infographic.js');
214mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Ios.js');
215mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Ios7.js');
216mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Kubernetes.js');
217mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-LeanMapping.js');
218mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Mockup.js');
219mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-MSCAE.js');
220mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Network.js');
221mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Office.js');
222mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-PID.js');
223mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Rack.js');
224mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Signs.js');
225mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Sitemap.js');
226mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Sysml.js');
227mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-ThreatModeling.js');
228mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-UML25.js');
229mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Veeam.js');
230mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-Veeam2.js');
231mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-VVD.js');
232mxscript(drawDevUrl + 'js/diagramly/sidebar/Sidebar-WebIcons.js');
233
234mxscript(drawDevUrl + 'js/diagramly/util/mxJsCanvas.js');
235mxscript(drawDevUrl + 'js/diagramly/util/mxAsyncCanvas.js');
236
237mxscript(drawDevUrl + 'js/diagramly/DrawioFile.js');
238mxscript(drawDevUrl + 'js/diagramly/LocalFile.js');
239mxscript(drawDevUrl + 'js/diagramly/LocalLibrary.js');
240mxscript(drawDevUrl + 'js/diagramly/StorageFile.js');
241mxscript(drawDevUrl + 'js/diagramly/StorageLibrary.js');
242mxscript(drawDevUrl + 'js/diagramly/RemoteFile.js');
243mxscript(drawDevUrl + 'js/diagramly/RemoteLibrary.js');
244mxscript(drawDevUrl + 'js/diagramly/EmbedFile.js');
245mxscript(drawDevUrl + 'js/diagramly/Dialogs.js');
246mxscript(drawDevUrl + 'js/diagramly/Editor.js');
247mxscript(drawDevUrl + 'js/diagramly/EditorUi.js');
248mxscript(drawDevUrl + 'js/diagramly/DiffSync.js');
249mxscript(drawDevUrl + 'js/diagramly/Settings.js');
250mxscript(drawDevUrl + 'js/diagramly/DrawioFileSync.js');
251
252//Comments
253mxscript(drawDevUrl + 'js/diagramly/DrawioComment.js');
254mxscript(drawDevUrl + 'js/diagramly/DriveComment.js');
255
256// Excluded in base.min.js
257mxscript(drawDevUrl + 'js/diagramly/DrawioClient.js');
258mxscript(drawDevUrl + 'js/diagramly/DrawioUser.js');
259mxscript(drawDevUrl + 'js/diagramly/UrlLibrary.js');
260mxscript(drawDevUrl + 'js/diagramly/DriveFile.js');
261mxscript(drawDevUrl + 'js/diagramly/DriveLibrary.js');
262mxscript(drawDevUrl + 'js/diagramly/DriveClient.js');
263mxscript(drawDevUrl + 'js/diagramly/DropboxFile.js');
264mxscript(drawDevUrl + 'js/diagramly/DropboxLibrary.js');
265mxscript(drawDevUrl + 'js/diagramly/DropboxClient.js');
266mxscript(drawDevUrl + 'js/diagramly/GitHubFile.js');
267mxscript(drawDevUrl + 'js/diagramly/GitHubLibrary.js');
268mxscript(drawDevUrl + 'js/diagramly/GitHubClient.js');
269mxscript(drawDevUrl + 'js/diagramly/OneDriveFile.js');
270mxscript(drawDevUrl + 'js/diagramly/OneDriveLibrary.js');
271mxscript(drawDevUrl + 'js/diagramly/OneDriveClient.js');
272mxscript(drawDevUrl + 'js/onedrive/mxODPicker.js');
273mxscript(drawDevUrl + 'js/diagramly/TrelloFile.js');
274mxscript(drawDevUrl + 'js/diagramly/TrelloLibrary.js');
275mxscript(drawDevUrl + 'js/diagramly/TrelloClient.js');
276mxscript(drawDevUrl + 'js/diagramly/GitLabFile.js');
277mxscript(drawDevUrl + 'js/diagramly/GitLabLibrary.js');
278mxscript(drawDevUrl + 'js/diagramly/GitLabClient.js');
279mxscript(drawDevUrl + 'js/diagramly/NotionFile.js');
280mxscript(drawDevUrl + 'js/diagramly/NotionLibrary.js');
281mxscript(drawDevUrl + 'js/diagramly/NotionClient.js');
282
283mxscript(drawDevUrl + 'js/diagramly/App.js');
284mxscript(drawDevUrl + 'js/diagramly/Menus.js');
285mxscript(drawDevUrl + 'js/diagramly/Pages.js');
286mxscript(drawDevUrl + 'js/diagramly/Trees.js');
287mxscript(drawDevUrl + 'js/diagramly/Minimal.js');
288mxscript(drawDevUrl + 'js/diagramly/DistanceGuides.js');
289mxscript(drawDevUrl + 'js/diagramly/mxRuler.js');
290mxscript(drawDevUrl + 'js/diagramly/mxFreehand.js');
291mxscript(drawDevUrl + 'js/diagramly/DevTools.js');
292
293// Vsdx/vssx support
294mxscript(drawDevUrl + 'js/diagramly/vsdx/VsdxExport.js');
295mxscript(drawDevUrl + 'js/diagramly/vsdx/mxVsdxCanvas2D.js');
296mxscript(drawDevUrl + 'js/diagramly/vsdx/bmpDecoder.js');
297mxscript(drawDevUrl + 'js/diagramly/vsdx/importer.js');
298mxscript(drawDevUrl + 'js/jszip/jszip.min.js');
299
300// GraphMl Import
301mxscript(drawDevUrl + 'js/diagramly/graphml/mxGraphMlCodec.js');
302
303// P2P Collab
304mxscript(drawDevUrl + 'js/diagramly/P2PCollab.js');
305
306// Org Chart Layout
307if (urlParams['orgChartDev'] == '1')
308{
309	mxscript(drawDevUrl + 'js/orgchart/bridge.min.js');
310	mxscript(drawDevUrl + 'js/orgchart/bridge.collections.min.js');
311	mxscript(drawDevUrl + 'js/orgchart/OrgChart.Layout.min.js');
312	mxscript(drawDevUrl + 'js/orgchart/mxOrgChartLayout.js');
313}