]>
Commit | Line | Data |
---|---|---|
5e755fff | 1 | import * as helmet from 'helmet' |
6dd9de95 | 2 | import { CONFIG } from '../initializers/config' |
5e755fff RK |
3 | |
4 | const baseDirectives = Object.assign({}, | |
5 | { | |
6 | defaultSrc: ["'none'"], // by default, not specifying default-src = '*' | |
7 | connectSrc: ['*', 'data:'], | |
8 | mediaSrc: ["'self'", 'https:', 'blob:'], | |
9 | fontSrc: ["'self'", 'data:'], | |
10 | imgSrc: ["'self'", 'data:'], | |
8fc58cb5 | 11 | scriptSrc: ["'self' 'unsafe-inline' 'unsafe-eval'"], |
5e755fff | 12 | styleSrc: ["'self' 'unsafe-inline'"], |
8fc58cb5 | 13 | objectSrc: ["'none'"], // only define to allow plugins, else let defaultSrc 'none' block it |
5e755fff RK |
14 | formAction: ["'self'"], |
15 | frameAncestors: ["'none'"], | |
16 | baseUri: ["'self'"], | |
5e755fff RK |
17 | manifestSrc: ["'self'"], |
18 | frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed | |
2adfc7ea | 19 | workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src |
5e755fff | 20 | }, |
539d3f4f | 21 | CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, |
8fc58cb5 | 22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} |
5e755fff RK |
23 | ) |
24 | ||
25 | const baseCSP = helmet.contentSecurityPolicy({ | |
26 | directives: baseDirectives, | |
27 | browserSniff: false, | |
539d3f4f | 28 | reportOnly: CONFIG.CSP.REPORT_ONLY |
5e755fff RK |
29 | }) |
30 | ||
31 | const embedCSP = helmet.contentSecurityPolicy({ | |
539d3f4f | 32 | directives: Object.assign({}, baseDirectives, { frameAncestors: ['*'] }), |
5e755fff | 33 | browserSniff: false, // assumes a modern browser, but allows CDN in front |
539d3f4f | 34 | reportOnly: CONFIG.CSP.REPORT_ONLY |
5e755fff RK |
35 | }) |
36 | ||
37 | // --------------------------------------------------------------------------- | |
38 | ||
39 | export { | |
40 | baseCSP, | |
41 | embedCSP | |
42 | } |