aboutsummaryrefslogtreecommitdiffhomepage
path: root/server
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2019-02-21 16:27:32 +0100
committerChocobozzz <me@florianbigard.com>2019-02-21 16:28:53 +0100
commit539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a (patch)
tree9bddd2ba539a49b3741fbd2ff3a2127e41a40268 /server
parentc8000975d361fae166a6ebecac5005238e14d4c9 (diff)
downloadPeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.tar.gz
PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.tar.zst
PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.zip
BREAKING: update CSP configuration
Disable it by default and add ability to specify a custom report uri
Diffstat (limited to 'server')
-rw-r--r--server/initializers/checker-after-init.ts6
-rw-r--r--server/initializers/checker-before-init.ts1
-rw-r--r--server/initializers/constants.ts6
-rw-r--r--server/middlewares/csp.ts10
4 files changed, 16 insertions, 7 deletions
diff --git a/server/initializers/checker-after-init.ts b/server/initializers/checker-after-init.ts
index 955d55206..53124f9ec 100644
--- a/server/initializers/checker-after-init.ts
+++ b/server/initializers/checker-after-init.ts
@@ -34,6 +34,12 @@ async function checkActivityPubUrls () {
34// Return an error message, or null if everything is okay 34// Return an error message, or null if everything is okay
35function checkConfig () { 35function checkConfig () {
36 36
37 // Moved configuration keys
38 if (config.has('services.csp-logger')) {
39 logger.warn('services.csp-logger configuration has been renamed to csp.report_uri. Please update your configuration file.')
40 }
41
42 // Email verification
37 if (!Emailer.isEnabled()) { 43 if (!Emailer.isEnabled()) {
38 if (CONFIG.SIGNUP.ENABLED && CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) { 44 if (CONFIG.SIGNUP.ENABLED && CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) {
39 return 'Emailer is disabled but you require signup email verification.' 45 return 'Emailer is disabled but you require signup email verification.'
diff --git a/server/initializers/checker-before-init.ts b/server/initializers/checker-before-init.ts
index 230fdd356..2567d957b 100644
--- a/server/initializers/checker-before-init.ts
+++ b/server/initializers/checker-before-init.ts
@@ -15,6 +15,7 @@ function checkMissedConfig () {
15 'storage.redundancy', 'storage.tmp', 'storage.playlists', 15 'storage.redundancy', 'storage.tmp', 'storage.playlists',
16 'log.level', 16 'log.level',
17 'user.video_quota', 'user.video_quota_daily', 17 'user.video_quota', 'user.video_quota_daily',
18 'csp.enabled', 'csp.report_only', 'csp.report_uri',
18 'cache.previews.size', 'admin.email', 'contact_form.enabled', 19 'cache.previews.size', 'admin.email', 'contact_form.enabled',
19 'signup.enabled', 'signup.limit', 'signup.requires_email_verification', 20 'signup.enabled', 'signup.limit', 'signup.requires_email_verification',
20 'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist', 21 'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist',
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts
index 0ede45620..0d9a6a512 100644
--- a/server/initializers/constants.ts
+++ b/server/initializers/constants.ts
@@ -229,6 +229,11 @@ const CONFIG = {
229 STRATEGIES: buildVideosRedundancy(config.get<any[]>('redundancy.videos.strategies')) 229 STRATEGIES: buildVideosRedundancy(config.get<any[]>('redundancy.videos.strategies'))
230 } 230 }
231 }, 231 },
232 CSP: {
233 ENABLED: config.get<boolean>('csp.enabled'),
234 REPORT_ONLY: config.get<boolean>('csp.report_only'),
235 REPORT_URI: config.get<boolean>('csp.report_uri')
236 },
232 ADMIN: { 237 ADMIN: {
233 get EMAIL () { return config.get<string>('admin.email') } 238 get EMAIL () { return config.get<string>('admin.email') }
234 }, 239 },
@@ -300,7 +305,6 @@ const CONFIG = {
300 get SECURITYTXT_CONTACT () { return config.get<string>('admin.email') } 305 get SECURITYTXT_CONTACT () { return config.get<string>('admin.email') }
301 }, 306 },
302 SERVICES: { 307 SERVICES: {
303 get 'CSP-LOGGER' () { return config.get<string>('services.csp-logger') },
304 TWITTER: { 308 TWITTER: {
305 get USERNAME () { return config.get<string>('services.twitter.username') }, 309 get USERNAME () { return config.get<string>('services.twitter.username') },
306 get WHITELISTED () { return config.get<boolean>('services.twitter.whitelisted') } 310 get WHITELISTED () { return config.get<boolean>('services.twitter.whitelisted') }
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts
index 5fa9d1ab5..404e33b43 100644
--- a/server/middlewares/csp.ts
+++ b/server/middlewares/csp.ts
@@ -18,22 +18,20 @@ const baseDirectives = Object.assign({},
18 frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed 18 frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed
19 workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src 19 workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src
20 }, 20 },
21 CONFIG.SERVICES['CSP-LOGGER'] ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {}, 21 CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},
22 CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} 22 CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {}
23) 23)
24 24
25const baseCSP = helmet.contentSecurityPolicy({ 25const baseCSP = helmet.contentSecurityPolicy({
26 directives: baseDirectives, 26 directives: baseDirectives,
27 browserSniff: false, 27 browserSniff: false,
28 reportOnly: true 28 reportOnly: CONFIG.CSP.REPORT_ONLY
29}) 29})
30 30
31const embedCSP = helmet.contentSecurityPolicy({ 31const embedCSP = helmet.contentSecurityPolicy({
32 directives: Object.assign(baseDirectives, { 32 directives: Object.assign({}, baseDirectives, { frameAncestors: ['*'] }),
33 frameAncestors: ['*']
34 }),
35 browserSniff: false, // assumes a modern browser, but allows CDN in front 33 browserSniff: false, // assumes a modern browser, but allows CDN in front
36 reportOnly: true 34 reportOnly: CONFIG.CSP.REPORT_ONLY
37}) 35})
38 36
39// --------------------------------------------------------------------------- 37// ---------------------------------------------------------------------------