Collaborative office suite, end-to-end encrypted and open-source.
This release was centered around two main goals:
Recent versions of CryptPad have introduced strict configuration requirements. If you are not already running version 4.14.1 then we recommend you read the notes of our past few releases and apply their updates in sequence. Each version introduces new tests on the checkup page which will help to identify configuration errors that may result in a non-functional server unless corrected.
Version 5.0.0 introduces a new server-side API (/api/instance) which serves customized information (server name, description, hosting location) from the admin panel so that it can be displayed on the redesigned home page.
We've done some extra work relative to similar APIs we've introduced in the past to ensure that the client-side code will continue to work without it. The upgrade process should go smoothly even if you fail to apply the suggested updates to your reverse proxy configuration (see cryptpad/docs/example.nginx.conf). If this data cannot be retrieved by the client it will fall back to some sensible defaults, but we recommend you take the time to fix it now in case this API ceases to be optional in some future release. The checkup page will identify whether the API is accessible and display an error otherwise.
diff --git a/docs/example.nginx.conf b/docs/example.nginx.conf
index a2d1cb1ce..23139c58c 100644
--- a/docs/example.nginx.conf
+++ b/docs/example.nginx.conf
@@ -183,7 +183,7 @@ server {
# /api/config is loaded once per page load and is used to retrieve
# the caching variable which is applied to every other resource
# which is loaded during that session.
- location ~ ^/api/(config|broadcast).*$ {
+ location ~ ^/api/.*$ {
proxy_pass http://localhost:3000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
To update from 4.14.1 to 5.0.0:
/api/ requests to the API server, as per the diff shown above, and reload your reverse proxy configbower update and npm i
/pad) they only observed a blank page rather than being redirected to the appropriate URL which contained a trailing slash (ie. /pad/). We've added a script which detects such cases and redirects to the appropriate URL if it exists.This minor release fixes a number of bugs that we noticed after deploying 4.14.0.
/checkup instead of /checkup/. We've updated our example NGINX config to rewrite this URL to include the trailing slash.cryptpad/config/config.example.js were outdated or incorrect and have been removed or corrected.We've also merged a few significant improvements:
gitGraph diagrams
Our 4.14.0 release notes introduced breaking changes. If you are not already running 4.14.0 we recommend updating to that first, then updating to 4.14.1 once you've confirmed that you are correctly passing all the tests on your instance's checkup page.S
To do so:
bower update and npm i
Our main goal for this release was to follow up on some of the findings of the Intigriti bug bounty program that was sponsored by the European Commission. We also aimed to deploy some features that we want to have in place before the deployment of our upcoming 5.0 release and a corresponding update to our project site (cryptpad.org). You can read more about all of this in our latest blog post.
This release includes BREAKING CHANGES, especially if you have not configured your instance correctly. We advise that you read the following section carefully and follow its recommendations as closely as possible if you operate your own CryptPad instance.
First, some review: CryptPad is designed to be deployed using two domains. One is the primary domain which users enter into their address bar, while the second is a "sandbox" that is loaded indirectly. Sensitive operations like cryptographic key management are performed in the scope of the primary domain, while the sandbox is used to load the majority of the platform's UI. If there is a vulnerability in the sandbox, it is at least limited in scope because of measures we've taken to prevent it from accessing user accounts' keys. We initially introduced this system nearly five years ago, it is described in our admin installation guide, and we've done our best to make sure admins are aware of its importance. Even so, only a small number of our admins follow our recommendations.
Since we've tried every other option we could think of to inform administrators of the risks of storing sensitive data on a misconfigured CryptPad instance, we are now adopting a more drastic policy where correct behaviour is enforced in the code itself. What that means for admins is that if you fail to implement configuration parameters which we consider essential, then various parts of the codebase will detect this and refuse to operate.
If your instance is configured correctly, then this shouldn't impact you at all. If you're worried that you might be impacted, then the best course of action is to update to 4.13.0 (the previous release, if you aren't already running it) and to follow its recommendation to review the checkup page and ensure that your instance passes its self-diagnostic tests. 4.14.0 introduces a large number of new tests, but those that were already present in 4.13.0 should identify the major issues that will prevent your instance from loading after the update.
Now, a bit about the situations in which CryptPad will fail to load:
httpUnsafeOrigin, then it will abort.
https://cryptpad.fr
eval, then it will abort.
eval is blocked by the recommended Content-Security-Policy headers. These strict headers are applied to most resources loaded from the sandbox origin.httpSafeOrigin is https://sandbox.cryptpad.info, while our NGINX sets $sandbox_domain to sandbox.cryptpad.info.Content-Security-Policy (such as Internet Explorer or any other browser using a non-compliant configuration) then it will abort.The reasons for blocking embedding will be described in the Features section below, so keep reading if you're curious.
We're also recommending a few more updates, but we don't expect that these will stop the service from loading:
v12.14.0 (which we have recommended for some time) will be considered End-Of-Life as of April 30th.
/api/config indicating that it should be updated. There is a corresponding test on the checkup page which checks for the presence of this flag for admins that aren't in the habit of reviewing their logs.cryptpad/docs/example.nginx.conf) against your live config with a diff tool. There are also new tests on the checkup page which will identify whether the newly changed headers have been correctly applied.npm and bower.application_config.js. Some are optional. A number of other parameters, such as URLs for a privacy policy and terms of service, will be expected if your instance permits registration. The checkup page will display warnings if these are absent. Configuration via application_config.js is described in our docs.We've also made a number of changes and additions to the instance admin panel:
/api/profiling) which exposes some live performance data as JSON endpoint. If you don't know what this means you probably don't need it.To update from 4.13.0 to 4.14.0:
bower update and npm i
/checkup/ page (on whatever devices you intend to support)null as a string).For this release we set aside time to update a number of our software dependencies and to investigate a variety of bugs that had been reported in support tickets.
We have also been coordinating with security researchers through a bug bounty program hosted by Intigriti.com and sponsored by the European Commission. This release includes security fixes and a number of new tests on the checkup page to help ensure that your instance is configured in the most secure manner possible. We recommend you read these notes thoroughly to ensure you update correctly.
4.13.0 includes significant changes to the Content-Security-Policy found in the example NGINX configuration which we recommend (available on GitHub). The updated policy only allows client behaviour which is strictly necessary for clients to work correctly, and is intended to be resilient against misconfiguration beyond the scope of this file. For instance, rather than simply allowing clients to connect to a list of permitted domains we are now explicit that those domains should only be accessible via HTTPS, in case the administrator was incorrectly serving unencrypted content over the same domain. These changes will need to be applied manually.
Several of the new tests on the checkup page (https://your-instance.com/checkup/) evaluate the host instance's CSP headers and are very strict about what is considered correct. These settings are a core part of CryptPad's security model, and failing to configure them correctly can undermine its encryption by putting users at risk of cross-site-scripting (XSS) vulnerabilities.
To update from 4.12.0 or 4.12.1 to 4.13.0:
bower update and npm i
/checkup/ page (on whatever devices you intend to support)json-schema) has been updated to fix a prototype pollution bug which should not have had any impact on anyone in practice.__proto__ as the language in fenced code blocks in a markdown document triggered an error, so we now guard against this case.This minor release contains a few bug fixes based on feedback we received and adjustments to prepare for the update to OnlyOffice 6.4.
Our primary goal for this release was to improve support for office file formats in CryptPad by
This release requires configuration changes to work correctly. We've updated our example NGINX config file to apply the required HTTP headers where appropriate.
You can compare the updated example against that of a previous CryptPad version by running something like git diff -U2 4.11.0 docs/ to generate a diff:
diff --git a/docs/example.nginx.conf b/docs/example.nginx.conf
index 14a3d4fc2..ea21e3ba7 100644
--- a/docs/example.nginx.conf
+++ b/docs/example.nginx.conf
@@ -65,5 +65,5 @@ server {
set $coop '';
- if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
+ #if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
# Enable SharedArrayBuffer in Firefox (for .xlsx export)
@@ -91,5 +91,5 @@ server {
# connect-src restricts URLs which can be loaded using script interfaces
- set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}";
+ set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain} https://${sandbox_domain}";
# fonts can be loaded from data-URLs or the main domain
@@ -121,8 +121,13 @@ server {
# they unfortunately still require exceptions to the sandboxing to work correctly.
if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
- if ($uri ~ ^\/common\/onlyoffice\/.*\/index\.html.*$) { set $unsafe 1; }
+ if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
# everything except the sandbox domain is a privileged scope, as they might be used to handle keys
if ($host != $sandbox_domain) { set $unsafe 0; }
+ # this iframe is an exception. Office file formats are converted outside of the sandboxed scope
+ # because of bugs in Chromium-based browsers that incorrectly ignore headers that are supposed to enable
+ # the use of some modern APIs that we require when javascript is run in a cross-origin context.
+ # We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope
+ if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
# privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
We've also updated the checkup page to test for the expected server behaviour and suggest helpful steps for correcting misconfiguration issues. You can access this diagnostic page at https://<your-cryptpad-domain>/checkup/.
Our team has limited resources, so we've chosen to introduce the new (and experimental) office editors gradually to avoid getting overwhelmed by support tickets as was the case when we introduced the current spreadsheet editor in 2019. In order to support this we've implemented an early access system which optionally restricts the use of these editors to premium subscribers. We will enable this system on CryptPad.fr, but admins of independent instances can enable them at their discretion.
To enable the use of the OnlyOffice Document and Presentation editor for everyone on your instance, edit your customize/application_config.js file to include AppConfig.enableEarlyAccess = true;.
If you wish to avoid a rush of support tickets from your users by limiting early access to users with custom quota increases, add another line like so Constants.earlyAccessApps = ['doc', 'presentation'];.
As these editors become more stable we plan to enable them by default on third-party instances. Keep in mind, these editors may be unstable and users may lose their work. Our team will fix bugs given sufficient information to reproduce them, but we will not take the time to help you recover lost data unless you have taken a support contract with us.
To update from 4.11.0 to 4.12.0:
application_config.js file to enable early access apps. restart your server or use the admin panel's Flush cache button for this to take effect.bower update and npm i
/checkup/ page (on whatever devices you intend to support)Our main goal for this release was to update our Forms app to address feedback gathered in the research we conducted over the summer (survey and one-on-one interviews with volunteers). Many of these points were limited to forms itself, but some were closely related with some other concepts in the platform and prompted us to make some considerable changes throughout.
As of this release we are dropping support for Internet Explorer 11 we learned that even Microsoft stopped supporting it in their own Office 365 platform. This means that we can finally start using some newer browser features that are available in every other modern browser and simplify parts of our code, making it smaller and faster to load for everyone else.
4.11 doesn't require any manual configuration if you're updating from 4.10, so this should be a fairly simple release. There is a new customization option that is described in the following features section, however, this is entirely optional.
To update from 4.10.0 to 4.11.0:
bower update and npm i
/checkup/ page (on whatever devices you intend to support)customize/application_config.js as an array of single-emoji strings (AppConfig.emojiAvatars = ['đĨĻ', 'đ§', 'đ', 'đļī¸'];) or as an empty array if you prefer not to display any emojis (AppConfig.emojiAvatars = [];). See our admin docs for more info on customization.alt or title attributes wherever applicable. This coincides with a broader effort to improve keyboard navigation and add support for screen-readers.August is typically a quiet month for CryptPad's development team, as members of our team and many of our users take their (northern hemisphere) summer holidays. We took the opportunity to catch up on some regular maintentance and to review and some prototype branches of our code that had been ready for integration for some time.
It seems that some browser developers thought to do the same thing, because we noticed some significant regressions in some APIs that we rely on. Some of our time went towards addressing the resulting bugs and restructuring some code to avoid future regressions for browser behaviour that seem likely to be changed again in the near future.
4.10.0 includes some minor changes to the checkup page. Some admins have included screenshots of this page in bug reports or requests for support along with details of problems they suspect of being related. Because we've observed that the root of many issues is the browser (sometimes in addition to the server) we have decided to include details about the browser in this page's summary.
Up until now the checkup page only tested observable behaviour of the server such as HTTP headers on particular resources, configuration parameters distributed to the client, and the availability of essential resources. This practice meant that a report for an instance should have been the same regardless of the device that was used to generate the report. In light of a serious regression in Chrome (and all its derivatives) we decided that objectiveness was less important than utility and introduced some tests which check whether the client running the diagnostics interprets the provided server configuration. Terrible browsers (ie. every browser that is available on iOS) will fail these tests every time because they don't implement the expected APIs, but we've tried to detect these cases and warn that they are expected.
For the most part you (as an admin) will not need to do anything special for this release as a result. If you notice weird issues on particular browsers in the future, however, it might be helpful to view this page from the affected browser/device and include any information that is provided in bug reports.
To update from 4.9.0 to 4.10.0:
bower update and npm i
/checkup/ page (on whatever devices you intend to support)As noted above, web standards and the browsers that implement them are constantly changing. Web applications like CryptPad which use new and advanced browser features are particularly prone to regressions even when we use browser features exactly as intended and advertized. The "Features" section of each release's notes typically highlights visible things, like clickable buttons or improvements to the interface. This point is included as a reminder that regular maintenance is at least as important to an open-source software project, even though it gets little attention and far less funding. The funding bodies that have generously supported our work typically award grants for research and the development of novel features, but we are sorely in need of increased support to allow us the flexibility to deal with unanticipated problems as they arise. If you are fortunate enough to have some disposable income and value the work that keeps CryptPad functional we would greatly appreciate a one-time or recurring donation to our OpenCollative campaign.
autocomplete="new-password" attribute applied to prevent browsers and integrated password managers from suggesting that users enter their account password. This lowers the risk that users will inadvertently reveal their account password in the future. Additionally, Firefox will now prompt users to use a high-entropy password instead.vendor and appVersion, which are useful hints about the host browser and OS (which we almost always have to ask about when the ticket is for a bug report). This data will also include the browser's current width and height, as some issues only occur at particular resolutions and can otherwise be difficult to reproduce.cryptpad/www/lib/changelog.md to better indicate their exact version, source, and any CryptPad-specific modifications we've made to them.
less.js had been duplicated, with one version (provided by bower) being used for custom styles in our slide editor while the rest of the platform used a custom version that fixed an apparent bug in the reference import syntax. We've standardized on our custom version and removed the alternative from our bower.json file.<br> tags, and the consistent use of both dialect-specific suffixes in English and punctuation rules in French. We have only added tests for languages in which members of our team are fluent, so if you maintain a translation in another language and can suggest additional qualities we could test we would welcome your suggestions.SharedArrayBuffer API in cross-site-isolated contexts such as that of our sandboxing system which resulted in it being disabled despite the fact that our usage conformed to a specification that should have been supported. We use this modern browser feature (where available) to convert spreadsheets between different formats in the browser itself, whereas other services (even those advertizing their use of encryption for documents) send users' content to their server for conversion. Since Chrome's engine is used as the basis for a wide variety of other browsers, this broke sheet export everywhere except Firefox (which correctly implements the specification). Luckily, we found a simple workaround to use the same underlying feature using an alternate syntax that they had failed to disable. This is only a short-term solution as we have no expectation that it will continue to work, so we are actively investigating making this conversion a trusted process that will be run outside of our sandboxing system.loginToken attribute was not correctly removed from clients' localStorage when they deleted their account. The value of this token is random and is of no use to attackers (especially when the token belongs to a deleted account), but it was a cause of some inconvenience to us when testing account deletion, as the mismatch between the token stored locally and in accounts (after login) required us to login in a second time before. We've updated the related code to:
We allocated most of this release cycle towards a schedule of one-on-one user interviews and some broad usage studies leveraging our new Form app. The remainder of our time was spent on some minor improvements. We'll continue at a slightly slower pace of implementation for the coming weeks while we complete our scheduled interviews and take some much-needed vacations.
It appears our promotion of the checkup page through our recent release notes and the inclusion of a link to it from the instance admin have been moderately successful. We've observed that more instance admins are noticing and fixing some common configuration issues.
This release features some minor changes to one instance configuration test which incorrectly provided an exemption for the use of http://localhost:3000 as an httpUnsafeOrigin value. This exemption was provided because this value is valid for local development. However, it suppressed errors when this configuration was used for production instances where it could cause a variety of problems. As usual, we recommend checking your instance's admin page after updating to confirm that you are passing the latest tests. Information about the checkup page is included in our documentation.
To update from 4.8.0 to 4.9.0:
bower update and npm i
/checkup/ pageThis release cycle we decided to give people a chance to try our forms app and provide feedback before we begin developing its second round of major features and improvements. In the meantime we planned to work mostly on the activities of our NGI DAPSI project which concerns client-side file format conversions. Otherwise, we dedicated some of our independently funded time towards some internal code review and security best-practices as a follow-up to the recent quick-scan performed by Radically Open Security that was funded by NLnet as a part of our now-closing CryptPad for Communities project.
We are still accepting feedback concerning our Form application via a form hosted on CryptPad.fr. We will accept feedback here until July 12th, 2021, so if you'd like your opinions to be represented in the app's second round of development act quickly!
Following our last release we sent out an email to the admins of each outdated instance that had included their addresses in the server's daily telemetry. This appears to have been successful, as more than half of the 700+ instances that provide this telemetry are now running 4.7.0. Previously, only 15% of instances were running the latest version. It's worth noting that of those admins that are hosting the latest version, less than 10% have opted into future emails warning them of security issues. In case you missed it, this can be done on the admin panel's Network tab. Unlike most companies, we consider excess data collection a liability rather than an asset. As such, administrator emails are no longer included in server telemetry unless the admin has consented to be contacted.
The same HTTP request that communicates server telemetry will soon begin responding with the URL of our latest release notes if it is detected that the remote instance is running an older version. The admin panel's Network tab for instances running 4.7.0 or later will begin prompting admins to view the release notes and update once 4.8.0 is available.
The Network tab now includes a multiple choice form as well. If you have not disabled your instance's telemetry you can use this field to answer why you run your instance (for a business, an academic institution, personal use, etc.). We intend to use this data to inform our development roadmap, though as always, the fastest way to get us to prioritize your needs is to contact us for a support contract ([email protected]).
Server telemetry will also include an installMethod property. By default this is "unspecified", but we are planning to work with packagers of alternate install methods to modify this property in their installation scripts. This will help us assess what proportion of instances are installed via the steps included in our installation guide vs other methods such as the various docker images. We hope that it will also allow us to determine the source of some common misconfigurations so we can propose some improvements to the root cause.
Getting off the topic of telemetry: two types of data that were previously deleted outright (pin logs and login blocks) are now archived when the client sends a remove command. This provides for the ability to restore old user credentials in cases where users claim that their new credentials do not work following a password change. Some discretion is required in such cases as a user might have intentionally invalidated their old credentials due to shoulder-surfing or the breach of another service's database where they'd reused credentials. Neither of these types of data are currently included in the scripts which evict old data as they are not likely to consume a significant amount of storage space. In any case, CryptPad's data is stored on the filesystem, so it's always possible to remove outdated files by removing them from cryptpad/data/archive/* or whatever path you've configured for your archives.
This release introduces some minor changes to the provided NGINX configuration file to enable support for WebAssembly where it is required for client-side file format conversions. We've added some new tests on the /checkup/ page that determine whether these changes have been applied. This page can be found via a button on the admin panel.
To update from 4.7.0 to 4.8.0:
bower update and npm i
/checkup/ pagetrue is not returned. Some tests have been revised to return the problematic value instead of false when the test fails, since there were some cases where it was not clear why the test was failing, such as when a header was present but duplicated.