From aa1c3d929f524f57930f8bb0ae8b07e8b51f9952 Mon Sep 17 00:00:00 2001
From: Rigel Kent <sendmemail@rigelk.eu>
Date: Tue, 17 Jul 2018 16:36:07 +0200
Subject: [PATCH] (quickfix) loosening CSP

---
 server.ts | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/server.ts b/server.ts
index 7dffb6576..b23ec5105 100644
--- a/server.ts
+++ b/server.ts
@@ -59,12 +59,13 @@ app.use(helmet({
   },
   contentSecurityPolicy: {
     directives: {
-      fontSrc: ["'self'"],
+      defaultSrc: ['*', 'data:', 'wss:', 'https:'],
+      fontSrc: ["'self'", 'data:'],
       frameSrc: ["'none'"],
       mediaSrc: ['*', 'https:'],
       objectSrc: ["'none'"],
-      scriptSrc: ["'self'"],
-      styleSrc: ["'self'"],
+      scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
       upgradeInsecureRequests: true
     },
     browserSniff: false // assumes a modern browser, but allows CDN in front
@@ -73,6 +74,18 @@ app.use(helmet({
     policy: 'strict-origin-when-cross-origin'
   }
 }))
+app.use((_, res, next) => {
+  [
+    "vibrate 'none'",
+    "geolocation 'none'",
+    "camera 'none'",
+    "microphone 'none'",
+    "magnetometer 'none'",
+    "payment 'none'",
+    "accelerometer 'none'"
+  ].forEach(e => res.append('Feature-Policy', e + ';'))
+  next()
+})
 
 // ----------- Database -----------
 
-- 
2.41.0