diff options
author | Chocobozzz <me@florianbigard.com> | 2019-02-06 12:26:58 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2019-02-06 12:26:58 +0100 |
commit | 73471b1a52f242e86364ffb077ea6cadb3b07ae2 (patch) | |
tree | 43dbb7748e281f8d80f15326f489cdea10ec857d /server/middlewares/csp.ts | |
parent | c22419dd265c0c7185bf4197a1cb286eb3d8ebc0 (diff) | |
parent | f5305c04aae14467d6f957b713c5a902275cbb89 (diff) | |
download | PeerTube-73471b1a52f242e86364ffb077ea6cadb3b07ae2.tar.gz PeerTube-73471b1a52f242e86364ffb077ea6cadb3b07ae2.tar.zst PeerTube-73471b1a52f242e86364ffb077ea6cadb3b07ae2.zip |
Merge branch 'release/v1.2.0'
Diffstat (limited to 'server/middlewares/csp.ts')
-rw-r--r-- | server/middlewares/csp.ts | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts new file mode 100644 index 000000000..8b919af0d --- /dev/null +++ b/server/middlewares/csp.ts | |||
@@ -0,0 +1,44 @@ | |||
1 | import * as helmet from 'helmet' | ||
2 | import { CONFIG } from '../initializers/constants' | ||
3 | |||
4 | const baseDirectives = Object.assign({}, | ||
5 | { | ||
6 | defaultSrc: ["'none'"], // by default, not specifying default-src = '*' | ||
7 | connectSrc: ['*', 'data:'], | ||
8 | mediaSrc: ["'self'", 'https:', 'blob:'], | ||
9 | fontSrc: ["'self'", 'data:'], | ||
10 | imgSrc: ["'self'", 'data:'], | ||
11 | scriptSrc: ["'self' 'unsafe-inline' 'unsafe-eval'"], | ||
12 | styleSrc: ["'self' 'unsafe-inline'"], | ||
13 | objectSrc: ["'none'"], // only define to allow plugins, else let defaultSrc 'none' block it | ||
14 | formAction: ["'self'"], | ||
15 | frameAncestors: ["'none'"], | ||
16 | baseUri: ["'self'"], | ||
17 | manifestSrc: ["'self'"], | ||
18 | frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed | ||
19 | workerSrc: ["'self'"] // instead of deprecated child-src | ||
20 | }, | ||
21 | CONFIG.SERVICES['CSP-LOGGER'] ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {}, | ||
22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} | ||
23 | ) | ||
24 | |||
25 | const baseCSP = helmet.contentSecurityPolicy({ | ||
26 | directives: baseDirectives, | ||
27 | browserSniff: false, | ||
28 | reportOnly: true | ||
29 | }) | ||
30 | |||
31 | const embedCSP = helmet.contentSecurityPolicy({ | ||
32 | directives: Object.assign(baseDirectives, { | ||
33 | frameAncestors: ['*'] | ||
34 | }), | ||
35 | browserSniff: false, // assumes a modern browser, but allows CDN in front | ||
36 | reportOnly: true | ||
37 | }) | ||
38 | |||
39 | // --------------------------------------------------------------------------- | ||
40 | |||
41 | export { | ||
42 | baseCSP, | ||
43 | embedCSP | ||
44 | } | ||