(quickfix) loosening CSP

author Rigel Kent <sendmemail@rigelk.eu>

Tue, 17 Jul 2018 14:36:07 +0000 (16:36 +0200)

committer Rigel Kent <sendmemail@rigelk.eu>

Tue, 17 Jul 2018 14:36:07 +0000 (16:36 +0200)
author Rigel Kent <sendmemail@rigelk.eu>
Tue, 17 Jul 2018 14:36:07 +0000 (16:36 +0200)
committer Rigel Kent <sendmemail@rigelk.eu>
Tue, 17 Jul 2018 14:36:07 +0000 (16:36 +0200)
diff --git a/server.ts b/server.ts

index 7dffb65761573a919c7ee7dfd99ac1dabc4d3e5f..b23ec5105e71b3f5e4edbff441426250a4797bc9 100644 (file)
--- a/server.ts
+++ b/server.ts
@@ -59,12 +59,13 @@ app.use(helmet({
    },
    contentSecurityPolicy: {
      directives: {
-      fontSrc: ["'self'"],
+      defaultSrc: ['*', 'data:', 'wss:', 'https:'],
+      fontSrc: ["'self'", 'data:'],
        frameSrc: ["'none'"],
        mediaSrc: ['*', 'https:'],
        objectSrc: ["'none'"],
-      scriptSrc: ["'self'"],
-      styleSrc: ["'self'"],
+      scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
        upgradeInsecureRequests: true
      },
      browserSniff: false // assumes a modern browser, but allows CDN in front
@@ -73,6 +74,18 @@ app.use(helmet({
      policy: 'strict-origin-when-cross-origin'
    }
  }))
+app.use((_, res, next) => {
+  [
+    "vibrate 'none'",
+    "geolocation 'none'",
+    "camera 'none'",
+    "microphone 'none'",
+    "magnetometer 'none'",
+    "payment 'none'",
+    "accelerometer 'none'"
+  ].forEach(e => res.append('Feature-Policy', e + ';'))
+  next()
+})
  
  // ----------- Database -----------
author	Rigel Kent <sendmemail@rigelk.eu>
	Tue, 17 Jul 2018 14:36:07 +0000 (16:36 +0200)
committer	Rigel Kent <sendmemail@rigelk.eu>
	Tue, 17 Jul 2018 14:36:07 +0000 (16:36 +0200)