]>
Commit | Line | Data |
---|---|---|
1 | import * as helmet from 'helmet' | |
2 | import { CONFIG } from '../initializers/config' | |
3 | ||
4 | const baseDirectives = Object.assign({}, | |
5 | { | |
6 | defaultSrc: [ '\'none\'' ], // by default, not specifying default-src = '*' | |
7 | connectSrc: [ '*', 'data:' ], | |
8 | mediaSrc: [ '\'self\'', 'https:', 'blob:' ], | |
9 | fontSrc: [ '\'self\'', 'data:' ], | |
10 | imgSrc: [ '\'self\'', 'data:', 'blob:' ], | |
11 | scriptSrc: [ '\'self\' \'unsafe-inline\' \'unsafe-eval\'', 'blob:' ], | |
12 | styleSrc: [ '\'self\' \'unsafe-inline\'' ], | |
13 | objectSrc: [ '\'none\'' ], // only define to allow plugins, else let defaultSrc 'none' block it | |
14 | formAction: [ '\'self\'' ], | |
15 | frameAncestors: [ '\'none\'' ], | |
16 | baseUri: [ '\'self\'' ], | |
17 | manifestSrc: [ '\'self\'' ], | |
18 | frameSrc: [ '\'self\'' ], // instead of deprecated child-src / self because of test-embed | |
19 | workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src | |
20 | }, | |
21 | CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, | |
22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: [] } : {} | |
23 | ) | |
24 | ||
25 | const baseCSP = helmet.contentSecurityPolicy({ | |
26 | directives: baseDirectives, | |
27 | reportOnly: CONFIG.CSP.REPORT_ONLY | |
28 | }) | |
29 | ||
30 | const embedCSP = helmet.contentSecurityPolicy({ | |
31 | directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }), | |
32 | reportOnly: CONFIG.CSP.REPORT_ONLY | |
33 | }) | |
34 | ||
35 | // --------------------------------------------------------------------------- | |
36 | ||
37 | export { | |
38 | baseCSP, | |
39 | embedCSP | |
40 | } |