diff options
author | Chocobozzz <me@florianbigard.com> | 2019-02-21 16:27:32 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2019-02-21 16:28:53 +0100 |
commit | 539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a (patch) | |
tree | 9bddd2ba539a49b3741fbd2ff3a2127e41a40268 /server/middlewares | |
parent | c8000975d361fae166a6ebecac5005238e14d4c9 (diff) | |
download | PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.tar.gz PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.tar.zst PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.zip |
BREAKING: update CSP configuration
Disable it by default and add ability to specify a custom report uri
Diffstat (limited to 'server/middlewares')
-rw-r--r-- | server/middlewares/csp.ts | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts index 5fa9d1ab5..404e33b43 100644 --- a/server/middlewares/csp.ts +++ b/server/middlewares/csp.ts | |||
@@ -18,22 +18,20 @@ const baseDirectives = Object.assign({}, | |||
18 | frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed | 18 | frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed |
19 | workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src | 19 | workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src |
20 | }, | 20 | }, |
21 | CONFIG.SERVICES['CSP-LOGGER'] ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {}, | 21 | CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, |
22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} | 22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} |
23 | ) | 23 | ) |
24 | 24 | ||
25 | const baseCSP = helmet.contentSecurityPolicy({ | 25 | const baseCSP = helmet.contentSecurityPolicy({ |
26 | directives: baseDirectives, | 26 | directives: baseDirectives, |
27 | browserSniff: false, | 27 | browserSniff: false, |
28 | reportOnly: true | 28 | reportOnly: CONFIG.CSP.REPORT_ONLY |
29 | }) | 29 | }) |
30 | 30 | ||
31 | const embedCSP = helmet.contentSecurityPolicy({ | 31 | const embedCSP = helmet.contentSecurityPolicy({ |
32 | directives: Object.assign(baseDirectives, { | 32 | directives: Object.assign({}, baseDirectives, { frameAncestors: ['*'] }), |
33 | frameAncestors: ['*'] | ||
34 | }), | ||
35 | browserSniff: false, // assumes a modern browser, but allows CDN in front | 33 | browserSniff: false, // assumes a modern browser, but allows CDN in front |
36 | reportOnly: true | 34 | reportOnly: CONFIG.CSP.REPORT_ONLY |
37 | }) | 35 | }) |
38 | 36 | ||
39 | // --------------------------------------------------------------------------- | 37 | // --------------------------------------------------------------------------- |