diff options
author | Chocobozzz <me@florianbigard.com> | 2018-12-17 09:42:28 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2018-12-17 09:42:28 +0100 |
commit | 8fc58cb580994efe8f5167739568afadfe9850d7 (patch) | |
tree | 734c6c13adc679198404a916fbed2e75600cb04a /server | |
parent | 9aac44236c84f17b14ce35e358a87389766e2743 (diff) | |
download | PeerTube-8fc58cb580994efe8f5167739568afadfe9850d7.tar.gz PeerTube-8fc58cb580994efe8f5167739568afadfe9850d7.tar.zst PeerTube-8fc58cb580994efe8f5167739568afadfe9850d7.zip |
Fix CSP on dev mode
Diffstat (limited to 'server')
-rw-r--r-- | server/middlewares/csp.ts | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts index a0ed3710b..8b919af0d 100644 --- a/server/middlewares/csp.ts +++ b/server/middlewares/csp.ts | |||
@@ -8,19 +8,18 @@ const baseDirectives = Object.assign({}, | |||
8 | mediaSrc: ["'self'", 'https:', 'blob:'], | 8 | mediaSrc: ["'self'", 'https:', 'blob:'], |
9 | fontSrc: ["'self'", 'data:'], | 9 | fontSrc: ["'self'", 'data:'], |
10 | imgSrc: ["'self'", 'data:'], | 10 | imgSrc: ["'self'", 'data:'], |
11 | scriptSrc: ["'self' 'unsafe-inline'"], | 11 | scriptSrc: ["'self' 'unsafe-inline' 'unsafe-eval'"], |
12 | styleSrc: ["'self' 'unsafe-inline'"], | 12 | styleSrc: ["'self' 'unsafe-inline'"], |
13 | // objectSrc: ["'none'"], // only define to allow plugins, else let defaultSrc 'none' block it | 13 | objectSrc: ["'none'"], // only define to allow plugins, else let defaultSrc 'none' block it |
14 | formAction: ["'self'"], | 14 | formAction: ["'self'"], |
15 | frameAncestors: ["'none'"], | 15 | frameAncestors: ["'none'"], |
16 | baseUri: ["'self'"], | 16 | baseUri: ["'self'"], |
17 | pluginTypes: ["'none'"], | ||
18 | manifestSrc: ["'self'"], | 17 | manifestSrc: ["'self'"], |
19 | frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed | 18 | frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed |
20 | workerSrc: ["'self'"], // instead of deprecated child-src | 19 | workerSrc: ["'self'"] // instead of deprecated child-src |
21 | upgradeInsecureRequests: true | ||
22 | }, | 20 | }, |
23 | (CONFIG.SERVICES['CSP-LOGGER'] != null) ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {} | 21 | CONFIG.SERVICES['CSP-LOGGER'] ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {}, |
22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} | ||
24 | ) | 23 | ) |
25 | 24 | ||
26 | const baseCSP = helmet.contentSecurityPolicy({ | 25 | const baseCSP = helmet.contentSecurityPolicy({ |