In https://forum.cloudron.io/post/118908 @girish rightly questioned how private bundling stock Excalidraw is, and as a result whether it is not just easier to use the hosted version.
But I like Excalidraw ! And I want it on my Cloudron ! And I want it to be as private as possible (completely private maybe not possible).
And I liked @chmod777 suggestion in https://forum.cloudron.io/post/120436.
So I have made package changes and pushed 1.1.2.
There is now a file /app/data/user/json where you can set 2 options.
{"privacyBundle":true,"useCSP":true}
the first removes some stuff from the image (actually technically, builds a stock repo bundle, and a bundle with stuff removed)
the second injects headers in your browser to stop the browser calling certain remote sites.
Restart container after editing, of course.
There is then also a new script in container /app/code/verify-runtime.sh which outputs diagnosis, with a summary at the end :
== summary ==
settings: privacyBundle=true, useCSP=true
servedIndex: /app/data/www/index.html
bundleMatch: privacy
cspMeta: YES
cspConnectSrc: 'self' blob:
privacyEndpoints: YES
externalStringsInBundle: firebasestorage.googleapis.com, libraries.excalidraw.com, scripts.simpleanalyticscdn.com, excalidraw.nyc3.cdn.digitaloceanspaces.com
externalStringsMeaning: present in static files, not proof of requests
Is it private? I think so, as much as it can be. The glaring violations have been dealt with. If you're in paranoia mode, use browser Dev Tools to check network activity.
So, now, it's def worth having this modified Excalidraw on Cloudron
EDIT : surprisingly having 2 app versions in the same app does not increase dockermimage size much. I guess because of sharing of layers. But nonetheless
