aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2019-02-21 16:27:32 +0100
committerChocobozzz <me@florianbigard.com>2019-02-21 16:28:53 +0100
commit539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a (patch)
tree9bddd2ba539a49b3741fbd2ff3a2127e41a40268 /server/middlewares
parentc8000975d361fae166a6ebecac5005238e14d4c9 (diff)
downloadPeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.tar.gz
PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.tar.zst
PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.zip
BREAKING: update CSP configuration
Disable it by default and add ability to specify a custom report uri
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/csp.ts10
1 files changed, 4 insertions, 6 deletions
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts
index 5fa9d1ab5..404e33b43 100644
--- a/server/middlewares/csp.ts
+++ b/server/middlewares/csp.ts
@@ -18,22 +18,20 @@ const baseDirectives = Object.assign({},
18 frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed 18 frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed
19 workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src 19 workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src
20 }, 20 },
21 CONFIG.SERVICES['CSP-LOGGER'] ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {}, 21 CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},
22 CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} 22 CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {}
23) 23)
24 24
25const baseCSP = helmet.contentSecurityPolicy({ 25const baseCSP = helmet.contentSecurityPolicy({
26 directives: baseDirectives, 26 directives: baseDirectives,
27 browserSniff: false, 27 browserSniff: false,
28 reportOnly: true 28 reportOnly: CONFIG.CSP.REPORT_ONLY
29}) 29})
30 30
31const embedCSP = helmet.contentSecurityPolicy({ 31const embedCSP = helmet.contentSecurityPolicy({
32 directives: Object.assign(baseDirectives, { 32 directives: Object.assign({}, baseDirectives, { frameAncestors: ['*'] }),
33 frameAncestors: ['*']
34 }),
35 browserSniff: false, // assumes a modern browser, but allows CDN in front 33 browserSniff: false, // assumes a modern browser, but allows CDN in front
36 reportOnly: true 34 reportOnly: CONFIG.CSP.REPORT_ONLY
37}) 35})
38 36
39// --------------------------------------------------------------------------- 37// ---------------------------------------------------------------------------