aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorRigel Kent <sendmemail@rigelk.eu>2018-07-17 16:36:07 +0200
committerRigel Kent <sendmemail@rigelk.eu>2018-07-17 16:36:07 +0200
commitaa1c3d929f524f57930f8bb0ae8b07e8b51f9952 (patch)
tree59270be806ea3e5f27b99e4f6937ac5ef1f2554f
parent62945f067b90961d6947287014ef5b64781d7ca1 (diff)
downloadPeerTube-aa1c3d929f524f57930f8bb0ae8b07e8b51f9952.tar.gz
PeerTube-aa1c3d929f524f57930f8bb0ae8b07e8b51f9952.tar.zst
PeerTube-aa1c3d929f524f57930f8bb0ae8b07e8b51f9952.zip
(quickfix) loosening CSP
-rw-r--r--server.ts19
1 files changed, 16 insertions, 3 deletions
diff --git a/server.ts b/server.ts
index 7dffb6576..b23ec5105 100644
--- a/server.ts
+++ b/server.ts
@@ -59,12 +59,13 @@ app.use(helmet({
59 }, 59 },
60 contentSecurityPolicy: { 60 contentSecurityPolicy: {
61 directives: { 61 directives: {
62 fontSrc: ["'self'"], 62 defaultSrc: ['*', 'data:', 'wss:', 'https:'],
63 fontSrc: ["'self'", 'data:'],
63 frameSrc: ["'none'"], 64 frameSrc: ["'none'"],
64 mediaSrc: ['*', 'https:'], 65 mediaSrc: ['*', 'https:'],
65 objectSrc: ["'none'"], 66 objectSrc: ["'none'"],
66 scriptSrc: ["'self'"], 67 scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
67 styleSrc: ["'self'"], 68 styleSrc: ["'self'", "'unsafe-inline'"],
68 upgradeInsecureRequests: true 69 upgradeInsecureRequests: true
69 }, 70 },
70 browserSniff: false // assumes a modern browser, but allows CDN in front 71 browserSniff: false // assumes a modern browser, but allows CDN in front
@@ -73,6 +74,18 @@ app.use(helmet({
73 policy: 'strict-origin-when-cross-origin' 74 policy: 'strict-origin-when-cross-origin'
74 } 75 }
75})) 76}))
77app.use((_, res, next) => {
78 [
79 "vibrate 'none'",
80 "geolocation 'none'",
81 "camera 'none'",
82 "microphone 'none'",
83 "magnetometer 'none'",
84 "payment 'none'",
85 "accelerometer 'none'"
86 ].forEach(e => res.append('Feature-Policy', e + ';'))
87 next()
88})
76 89
77// ----------- Database ----------- 90// ----------- Database -----------
78 91