]>
Commit | Line | Data |
---|---|---|
5e755fff | 1 | import * as helmet from 'helmet' |
6dd9de95 | 2 | import { CONFIG } from '../initializers/config' |
5e755fff RK |
3 | |
4 | const baseDirectives = Object.assign({}, | |
5 | { | |
a1587156 C |
6 | defaultSrc: [ '\'none\'' ], // by default, not specifying default-src = '*' |
7 | connectSrc: [ '*', 'data:' ], | |
8 | mediaSrc: [ '\'self\'', 'https:', 'blob:' ], | |
9 | fontSrc: [ '\'self\'', 'data:' ], | |
10 | imgSrc: [ '\'self\'', 'data:', 'blob:' ], | |
11 | scriptSrc: [ '\'self\' \'unsafe-inline\' \'unsafe-eval\'', 'blob:' ], | |
12 | styleSrc: [ '\'self\' \'unsafe-inline\'' ], | |
13 | objectSrc: [ '\'none\'' ], // only define to allow plugins, else let defaultSrc 'none' block it | |
14 | formAction: [ '\'self\'' ], | |
15 | frameAncestors: [ '\'none\'' ], | |
16 | baseUri: [ '\'self\'' ], | |
17 | manifestSrc: [ '\'self\'' ], | |
18 | frameSrc: [ '\'self\'' ], // instead of deprecated child-src / self because of test-embed | |
19 | workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src | |
5e755fff | 20 | }, |
539d3f4f | 21 | CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, |
8fc58cb5 | 22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} |
5e755fff RK |
23 | ) |
24 | ||
25 | const baseCSP = helmet.contentSecurityPolicy({ | |
26 | directives: baseDirectives, | |
27 | browserSniff: false, | |
539d3f4f | 28 | reportOnly: CONFIG.CSP.REPORT_ONLY |
5e755fff RK |
29 | }) |
30 | ||
31 | const embedCSP = helmet.contentSecurityPolicy({ | |
a1587156 | 32 | directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }), |
5e755fff | 33 | browserSniff: false, // assumes a modern browser, but allows CDN in front |
539d3f4f | 34 | reportOnly: CONFIG.CSP.REPORT_ONLY |
5e755fff RK |
35 | }) |
36 | ||
37 | // --------------------------------------------------------------------------- | |
38 | ||
39 | export { | |
40 | baseCSP, | |
41 | embedCSP | |
42 | } |