diff options
| author | Chocobozzz <me@florianbigard.com> | 2019-02-21 16:27:32 +0100 |
|---|---|---|
| committer | Chocobozzz <me@florianbigard.com> | 2019-02-21 16:28:53 +0100 |
| commit | 539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a (patch) | |
| tree | 9bddd2ba539a49b3741fbd2ff3a2127e41a40268 /server | |
| parent | c8000975d361fae166a6ebecac5005238e14d4c9 (diff) | |
| download | PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.tar.gz PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.tar.zst PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.zip | |
BREAKING: update CSP configuration
Disable it by default and add ability to specify a custom report uri
Diffstat (limited to 'server')
| -rw-r--r-- | server/initializers/checker-after-init.ts | 6 | ||||
| -rw-r--r-- | server/initializers/checker-before-init.ts | 1 | ||||
| -rw-r--r-- | server/initializers/constants.ts | 6 | ||||
| -rw-r--r-- | server/middlewares/csp.ts | 10 |
4 files changed, 16 insertions, 7 deletions
diff --git a/server/initializers/checker-after-init.ts b/server/initializers/checker-after-init.ts index 955d55206..53124f9ec 100644 --- a/server/initializers/checker-after-init.ts +++ b/server/initializers/checker-after-init.ts | |||
| @@ -34,6 +34,12 @@ async function checkActivityPubUrls () { | |||
| 34 | // Return an error message, or null if everything is okay | 34 | // Return an error message, or null if everything is okay |
| 35 | function checkConfig () { | 35 | function checkConfig () { |
| 36 | 36 | ||
| 37 | // Moved configuration keys | ||
| 38 | if (config.has('services.csp-logger')) { | ||
| 39 | logger.warn('services.csp-logger configuration has been renamed to csp.report_uri. Please update your configuration file.') | ||
| 40 | } | ||
| 41 | |||
| 42 | // Email verification | ||
| 37 | if (!Emailer.isEnabled()) { | 43 | if (!Emailer.isEnabled()) { |
| 38 | if (CONFIG.SIGNUP.ENABLED && CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) { | 44 | if (CONFIG.SIGNUP.ENABLED && CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) { |
| 39 | return 'Emailer is disabled but you require signup email verification.' | 45 | return 'Emailer is disabled but you require signup email verification.' |
diff --git a/server/initializers/checker-before-init.ts b/server/initializers/checker-before-init.ts index 230fdd356..2567d957b 100644 --- a/server/initializers/checker-before-init.ts +++ b/server/initializers/checker-before-init.ts | |||
| @@ -15,6 +15,7 @@ function checkMissedConfig () { | |||
| 15 | 'storage.redundancy', 'storage.tmp', 'storage.playlists', | 15 | 'storage.redundancy', 'storage.tmp', 'storage.playlists', |
| 16 | 'log.level', | 16 | 'log.level', |
| 17 | 'user.video_quota', 'user.video_quota_daily', | 17 | 'user.video_quota', 'user.video_quota_daily', |
| 18 | 'csp.enabled', 'csp.report_only', 'csp.report_uri', | ||
| 18 | 'cache.previews.size', 'admin.email', 'contact_form.enabled', | 19 | 'cache.previews.size', 'admin.email', 'contact_form.enabled', |
| 19 | 'signup.enabled', 'signup.limit', 'signup.requires_email_verification', | 20 | 'signup.enabled', 'signup.limit', 'signup.requires_email_verification', |
| 20 | 'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist', | 21 | 'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist', |
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts index 0ede45620..0d9a6a512 100644 --- a/server/initializers/constants.ts +++ b/server/initializers/constants.ts | |||
| @@ -229,6 +229,11 @@ const CONFIG = { | |||
| 229 | STRATEGIES: buildVideosRedundancy(config.get<any[]>('redundancy.videos.strategies')) | 229 | STRATEGIES: buildVideosRedundancy(config.get<any[]>('redundancy.videos.strategies')) |
| 230 | } | 230 | } |
| 231 | }, | 231 | }, |
| 232 | CSP: { | ||
| 233 | ENABLED: config.get<boolean>('csp.enabled'), | ||
| 234 | REPORT_ONLY: config.get<boolean>('csp.report_only'), | ||
| 235 | REPORT_URI: config.get<boolean>('csp.report_uri') | ||
| 236 | }, | ||
| 232 | ADMIN: { | 237 | ADMIN: { |
| 233 | get EMAIL () { return config.get<string>('admin.email') } | 238 | get EMAIL () { return config.get<string>('admin.email') } |
| 234 | }, | 239 | }, |
| @@ -300,7 +305,6 @@ const CONFIG = { | |||
| 300 | get SECURITYTXT_CONTACT () { return config.get<string>('admin.email') } | 305 | get SECURITYTXT_CONTACT () { return config.get<string>('admin.email') } |
| 301 | }, | 306 | }, |
| 302 | SERVICES: { | 307 | SERVICES: { |
| 303 | get 'CSP-LOGGER' () { return config.get<string>('services.csp-logger') }, | ||
| 304 | TWITTER: { | 308 | TWITTER: { |
| 305 | get USERNAME () { return config.get<string>('services.twitter.username') }, | 309 | get USERNAME () { return config.get<string>('services.twitter.username') }, |
| 306 | get WHITELISTED () { return config.get<boolean>('services.twitter.whitelisted') } | 310 | get WHITELISTED () { return config.get<boolean>('services.twitter.whitelisted') } |
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts index 5fa9d1ab5..404e33b43 100644 --- a/server/middlewares/csp.ts +++ b/server/middlewares/csp.ts | |||
| @@ -18,22 +18,20 @@ const baseDirectives = Object.assign({}, | |||
| 18 | frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed | 18 | frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed |
| 19 | workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src | 19 | workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src |
| 20 | }, | 20 | }, |
| 21 | CONFIG.SERVICES['CSP-LOGGER'] ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {}, | 21 | CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, |
| 22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} | 22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} |
| 23 | ) | 23 | ) |
| 24 | 24 | ||
| 25 | const baseCSP = helmet.contentSecurityPolicy({ | 25 | const baseCSP = helmet.contentSecurityPolicy({ |
| 26 | directives: baseDirectives, | 26 | directives: baseDirectives, |
| 27 | browserSniff: false, | 27 | browserSniff: false, |
| 28 | reportOnly: true | 28 | reportOnly: CONFIG.CSP.REPORT_ONLY |
| 29 | }) | 29 | }) |
| 30 | 30 | ||
| 31 | const embedCSP = helmet.contentSecurityPolicy({ | 31 | const embedCSP = helmet.contentSecurityPolicy({ |
| 32 | directives: Object.assign(baseDirectives, { | 32 | directives: Object.assign({}, baseDirectives, { frameAncestors: ['*'] }), |
| 33 | frameAncestors: ['*'] | ||
| 34 | }), | ||
| 35 | browserSniff: false, // assumes a modern browser, but allows CDN in front | 33 | browserSniff: false, // assumes a modern browser, but allows CDN in front |
| 36 | reportOnly: true | 34 | reportOnly: CONFIG.CSP.REPORT_ONLY |
| 37 | }) | 35 | }) |
| 38 | 36 | ||
| 39 | // --------------------------------------------------------------------------- | 37 | // --------------------------------------------------------------------------- |