]>
Commit | Line | Data |
---|---|---|
1 | import * as helmet from 'helmet' | |
2 | import { CONFIG } from '../initializers/constants' | |
3 | ||
4 | const baseDirectives = Object.assign({}, | |
5 | { | |
6 | defaultSrc: ["'none'"], // by default, not specifying default-src = '*' | |
7 | connectSrc: ['*', 'data:'], | |
8 | mediaSrc: ["'self'", 'https:', 'blob:'], | |
9 | fontSrc: ["'self'", 'data:'], | |
10 | imgSrc: ["'self'", 'data:'], | |
11 | scriptSrc: ["'self' 'unsafe-inline' 'unsafe-eval'"], | |
12 | styleSrc: ["'self' 'unsafe-inline'"], | |
13 | objectSrc: ["'none'"], // only define to allow plugins, else let defaultSrc 'none' block it | |
14 | formAction: ["'self'"], | |
15 | frameAncestors: ["'none'"], | |
16 | baseUri: ["'self'"], | |
17 | manifestSrc: ["'self'"], | |
18 | frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed | |
19 | workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src | |
20 | }, | |
21 | CONFIG.SERVICES['CSP-LOGGER'] ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {}, | |
22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} | |
23 | ) | |
24 | ||
25 | const baseCSP = helmet.contentSecurityPolicy({ | |
26 | directives: baseDirectives, | |
27 | browserSniff: false, | |
28 | reportOnly: true | |
29 | }) | |
30 | ||
31 | const embedCSP = helmet.contentSecurityPolicy({ | |
32 | directives: Object.assign(baseDirectives, { | |
33 | frameAncestors: ['*'] | |
34 | }), | |
35 | browserSniff: false, // assumes a modern browser, but allows CDN in front | |
36 | reportOnly: true | |
37 | }) | |
38 | ||
39 | // --------------------------------------------------------------------------- | |
40 | ||
41 | export { | |
42 | baseCSP, | |
43 | embedCSP | |
44 | } |