// `ng build --env=prod` then `environment.prod.ts` will be used instead.
// The list of which env maps to which file can be found in `.angular-cli.json`.
+// Reflect.metadata polyfill is only needed in the JIT/dev mode.
+//
+// In order to load these polyfills early enough (before app code), polyfill.ts imports this file to
+// to change the order in the final bundle.
+import 'core-js/es6/reflect'
+import 'core-js/es7/reflect'
+
export const environment = {
production: false,
hmr: false,
/** IE10 and IE11 requires the following for the Reflect API. */
// For Google Bot
-import 'core-js/es6/reflect'
+// import 'core-js/es6/reflect'; // --> dealt with in src/environment.ts
+
+/**
+ * Evergreen browsers require these.
+ */
+// Used for reflect-metadata in JIT. If you use AOT (and only Angular decorators), you can remove.
+// import 'core-js/es7/reflect' // --> dealt with in src/environment.ts
/**
* Required to support Web Animations `@angular/platform-browser/animations`.
"# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
services:
+ # You can provide a reporting endpoint for Content Security Policy violations
+ csp-logger:
# Cards configuration to format video in Twitter
twitter:
username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
"# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
services:
+ # You can provide a reporting endpoint for Content Security Policy violations
+ csp-logger:
# Cards configuration to format video in Twitter
twitter:
username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
app.set('trust proxy', CONFIG.TRUST_PROXY)
// Security middleware
+import { baseCSP } from './server/middlewares'
+
+app.use(baseCSP)
app.use(helmet({
frameguard: {
action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
import { join } from 'path'
import { root } from '../helpers/core-utils'
import { ACCEPT_HEADERS, STATIC_MAX_AGE } from '../initializers'
-import { asyncMiddleware } from '../middlewares'
+import { asyncMiddleware, embedCSP } from '../middlewares'
import { buildFileLocale, getCompleteLocale, is18nLocale, LOCALE_FILES } from '../../shared/models/i18n/i18n'
import { ClientHtml } from '../lib/client-html'
import { logger } from '../helpers/logger'
clientsRouter.use('' +
'/videos/embed',
+ embedCSP,
(req: express.Request, res: express.Response, next: express.NextFunction) => {
res.removeHeader('X-Frame-Options')
res.sendFile(embedPath)
get SECURITYTXT_CONTACT () { return config.get<string>('admin.email') }
},
SERVICES: {
+ get 'CSP-LOGGER' () { return config.get<string>('services.csp-logger') },
TWITTER: {
get USERNAME () { return config.get<string>('services.twitter.username') },
get WHITELISTED () { return config.get<boolean>('services.twitter.whitelisted') }
--- /dev/null
+import * as helmet from 'helmet'
+import { CONFIG } from '../initializers/constants'
+
+const baseDirectives = Object.assign({},
+ {
+ defaultSrc: ["'none'"], // by default, not specifying default-src = '*'
+ connectSrc: ['*', 'data:'],
+ mediaSrc: ["'self'", 'https:', 'blob:'],
+ fontSrc: ["'self'", 'data:'],
+ imgSrc: ["'self'", 'data:'],
+ scriptSrc: ["'self' 'unsafe-inline'"],
+ styleSrc: ["'self' 'unsafe-inline'"],
+ // objectSrc: ["'none'"], // only define to allow plugins, else let defaultSrc 'none' block it
+ formAction: ["'self'"],
+ frameAncestors: ["'none'"],
+ baseUri: ["'self'"],
+ pluginTypes: ["'none'"],
+ manifestSrc: ["'self'"],
+ frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed
+ workerSrc: ["'self'"], // instead of deprecated child-src
+ upgradeInsecureRequests: true
+ },
+ (CONFIG.SERVICES['CSP-LOGGER'] != null) ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {}
+)
+
+const baseCSP = helmet.contentSecurityPolicy({
+ directives: baseDirectives,
+ browserSniff: false,
+ reportOnly: true
+})
+
+const embedCSP = helmet.contentSecurityPolicy({
+ directives: Object.assign(baseDirectives, {
+ frameAncestors: ['*']
+ }),
+ browserSniff: false, // assumes a modern browser, but allows CDN in front
+ reportOnly: true
+})
+
+// ---------------------------------------------------------------------------
+
+export {
+ baseCSP,
+ embedCSP
+}
export {
advertiseDoNotTrack
- }
+}
export * from './servers'
export * from './sort'
export * from './user-right'
+export * from './dnt'
+export * from './csp'
1080:
__name: "PEERTUBE_TRANSCODING_1080P"
__format: "json"
-
instance:
name: "PEERTUBE_INSTANCE_NAME"
description: "PEERTUBE_INSTANCE_DESCRIPTION"
terms: "PEERTUBE_INSTANCE_TERMS"
+
+services:
+ csp-logger: "PEERTUBE_SERVICES_CSPLOGGER"