]>
Commit | Line | Data |
---|---|---|
41fb13c3 | 1 | import { contentSecurityPolicy } from 'helmet' |
6dd9de95 | 2 | import { CONFIG } from '../initializers/config' |
5e755fff RK |
3 | |
4 | const baseDirectives = Object.assign({}, | |
5 | { | |
a1587156 C |
6 | defaultSrc: [ '\'none\'' ], // by default, not specifying default-src = '*' |
7 | connectSrc: [ '*', 'data:' ], | |
8 | mediaSrc: [ '\'self\'', 'https:', 'blob:' ], | |
9 | fontSrc: [ '\'self\'', 'data:' ], | |
10 | imgSrc: [ '\'self\'', 'data:', 'blob:' ], | |
11 | scriptSrc: [ '\'self\' \'unsafe-inline\' \'unsafe-eval\'', 'blob:' ], | |
12 | styleSrc: [ '\'self\' \'unsafe-inline\'' ], | |
13 | objectSrc: [ '\'none\'' ], // only define to allow plugins, else let defaultSrc 'none' block it | |
14 | formAction: [ '\'self\'' ], | |
15 | frameAncestors: [ '\'none\'' ], | |
16 | baseUri: [ '\'self\'' ], | |
17 | manifestSrc: [ '\'self\'' ], | |
18 | frameSrc: [ '\'self\'' ], // instead of deprecated child-src / self because of test-embed | |
19 | workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src | |
5e755fff | 20 | }, |
539d3f4f | 21 | CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, |
50fcdebd | 22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: [] } : {} |
5e755fff RK |
23 | ) |
24 | ||
41fb13c3 | 25 | const baseCSP = contentSecurityPolicy({ |
5e755fff | 26 | directives: baseDirectives, |
539d3f4f | 27 | reportOnly: CONFIG.CSP.REPORT_ONLY |
5e755fff RK |
28 | }) |
29 | ||
41fb13c3 | 30 | const embedCSP = contentSecurityPolicy({ |
a1587156 | 31 | directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }), |
539d3f4f | 32 | reportOnly: CONFIG.CSP.REPORT_ONLY |
5e755fff RK |
33 | }) |
34 | ||
35 | // --------------------------------------------------------------------------- | |
36 | ||
37 | export { | |
38 | baseCSP, | |
39 | embedCSP | |
40 | } |