Fix CSP

author: Chocobozzz <me@florianbigard.com> 2018-07-17 18:44:47 +0200
committer: Chocobozzz <me@florianbigard.com> 2018-07-17 18:44:47 +0200
commit: 57bf30a984ccbe58e1506f903055a15c1ddaf8f2 (patch)
tree: 069542004e0e7cf64276b173216ae455b0cdf863 /server.ts
parent: b54431049b7b50fc18788bbe600de6adf3f4eb2c (diff)
download: PeerTube-57bf30a984ccbe58e1506f903055a15c1ddaf8f2.tar.gz
PeerTube-57bf30a984ccbe58e1506f903055a15c1ddaf8f2.tar.zst
PeerTube-57bf30a984ccbe58e1506f903055a15c1ddaf8f2.zip
1 files changed, 4 insertions, 4 deletions
diff --git a/server.ts b/server.ts
index b23ec5105..104de2153 100644
--- a/server.ts
+++ b/server.ts
@@ -27,7 +27,7 @@ import { checkMissedConfig, checkFFmpeg, checkConfig, checkActivityPubUrls } fro
 // Do not use barrels because we don't want to load all modules here (we need to initialize database first)
 import { logger } from './server/helpers/logger'
-import { API_VERSION, CONFIG, STATIC_PATHS, CACHE } from './server/initializers/constants'
+import { API_VERSION, CONFIG, STATIC_PATHS, CACHE, REMOTE_SCHEME } from './server/initializers/constants'
 const missed = checkMissedConfig()
 if (missed.length !== 0) {
@@ -59,14 +59,14 @@ app.use(helmet({
  },
  contentSecurityPolicy: {
    directives: {
-      defaultSrc: ['*', 'data:', 'wss:', 'https:'],
+      defaultSrc: ['*', 'data:', REMOTE_SCHEME.WS + ':', REMOTE_SCHEME.HTTP + ':'],
      fontSrc: ["'self'", 'data:'],
      frameSrc: ["'none'"],
-      mediaSrc: ['*', 'https:'],
+      mediaSrc: ['*', REMOTE_SCHEME.HTTP + ':'],
      objectSrc: ["'none'"],
      scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
-      upgradeInsecureRequests: true
+      upgradeInsecureRequests: false
    },
    browserSniff: false // assumes a modern browser, but allows CDN in front
  },
author	Chocobozzz <me@florianbigard.com>	2018-07-17 18:44:47 +0200
committer	Chocobozzz <me@florianbigard.com>	2018-07-17 18:44:47 +0200
commit	57bf30a984ccbe58e1506f903055a15c1ddaf8f2 (patch)
tree	069542004e0e7cf64276b173216ae455b0cdf863 /server.ts
parent	b54431049b7b50fc18788bbe600de6adf3f4eb2c (diff)
download	PeerTube-57bf30a984ccbe58e1506f903055a15c1ddaf8f2.tar.gz PeerTube-57bf30a984ccbe58e1506f903055a15c1ddaf8f2.tar.zst PeerTube-57bf30a984ccbe58e1506f903055a15c1ddaf8f2.zip

diff --git a/server.ts b/server.ts index b23ec5105..104de2153 100644 --- a/server.ts +++ b/server.ts
@@ -27,7 +27,7 @@ import { checkMissedConfig, checkFFmpeg, checkConfig, checkActivityPubUrls } fro
27		27
28	// Do not use barrels because we don't want to load all modules here (we need to initialize database first)	28	// Do not use barrels because we don't want to load all modules here (we need to initialize database first)
29	import { logger } from './server/helpers/logger'	29	import { logger } from './server/helpers/logger'
30	import { API_VERSION, CONFIG, STATIC_PATHS, CACHE } from './server/initializers/constants'	30	import { API_VERSION, CONFIG, STATIC_PATHS, CACHE, REMOTE_SCHEME } from './server/initializers/constants'
31		31
32	const missed = checkMissedConfig()	32	const missed = checkMissedConfig()
33	if (missed.length !== 0) {	33	if (missed.length !== 0) {
@@ -59,14 +59,14 @@ app.use(helmet({
59	},	59	},
60	contentSecurityPolicy: {	60	contentSecurityPolicy: {
61	directives: {	61	directives: {
62	defaultSrc: ['*', 'data:', 'wss:', 'https:'],	62	defaultSrc: ['*', 'data:', REMOTE_SCHEME.WS + ':', REMOTE_SCHEME.HTTP + ':'],
63	fontSrc: ["'self'", 'data:'],	63	fontSrc: ["'self'", 'data:'],
64	frameSrc: ["'none'"],	64	frameSrc: ["'none'"],
65	mediaSrc: ['*', 'https:'],	65	mediaSrc: ['*', REMOTE_SCHEME.HTTP + ':'],
66	objectSrc: ["'none'"],	66	objectSrc: ["'none'"],
67	scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],	67	scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
68	styleSrc: ["'self'", "'unsafe-inline'"],	68	styleSrc: ["'self'", "'unsafe-inline'"],
69	upgradeInsecureRequests: true	69	upgradeInsecureRequests: false
70	},	70	},
71	browserSniff: false // assumes a modern browser, but allows CDN in front	71	browserSniff: false // assumes a modern browser, but allows CDN in front
72	},	72	},