diff options
Diffstat (limited to 'server.ts')
-rw-r--r-- | server.ts | 8 |
1 files changed, 4 insertions, 4 deletions
@@ -27,7 +27,7 @@ import { checkMissedConfig, checkFFmpeg, checkConfig, checkActivityPubUrls } fro | |||
27 | 27 | ||
28 | // Do not use barrels because we don't want to load all modules here (we need to initialize database first) | 28 | // Do not use barrels because we don't want to load all modules here (we need to initialize database first) |
29 | import { logger } from './server/helpers/logger' | 29 | import { logger } from './server/helpers/logger' |
30 | import { API_VERSION, CONFIG, STATIC_PATHS, CACHE } from './server/initializers/constants' | 30 | import { API_VERSION, CONFIG, STATIC_PATHS, CACHE, REMOTE_SCHEME } from './server/initializers/constants' |
31 | 31 | ||
32 | const missed = checkMissedConfig() | 32 | const missed = checkMissedConfig() |
33 | if (missed.length !== 0) { | 33 | if (missed.length !== 0) { |
@@ -59,14 +59,14 @@ app.use(helmet({ | |||
59 | }, | 59 | }, |
60 | contentSecurityPolicy: { | 60 | contentSecurityPolicy: { |
61 | directives: { | 61 | directives: { |
62 | defaultSrc: ['*', 'data:', 'wss:', 'https:'], | 62 | defaultSrc: ['*', 'data:', REMOTE_SCHEME.WS + ':', REMOTE_SCHEME.HTTP + ':'], |
63 | fontSrc: ["'self'", 'data:'], | 63 | fontSrc: ["'self'", 'data:'], |
64 | frameSrc: ["'none'"], | 64 | frameSrc: ["'none'"], |
65 | mediaSrc: ['*', 'https:'], | 65 | mediaSrc: ['*', REMOTE_SCHEME.HTTP + ':'], |
66 | objectSrc: ["'none'"], | 66 | objectSrc: ["'none'"], |
67 | scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"], | 67 | scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"], |
68 | styleSrc: ["'self'", "'unsafe-inline'"], | 68 | styleSrc: ["'self'", "'unsafe-inline'"], |
69 | upgradeInsecureRequests: true | 69 | upgradeInsecureRequests: false |
70 | }, | 70 | }, |
71 | browserSniff: false // assumes a modern browser, but allows CDN in front | 71 | browserSniff: false // assumes a modern browser, but allows CDN in front |
72 | }, | 72 | }, |