1 files changed, 0 insertions, 40 deletions
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts
deleted file mode 100644
index e2a75a17e..000000000
--- a/server/middlewares/csp.ts
+++ /dev/null
@@ -1,40 +0,0 @@
-import { contentSecurityPolicy } from 'helmet'
-import { CONFIG } from '../initializers/config'
-const baseDirectives = Object.assign({},
-  {
-    defaultSrc: [ '\'none\'' ], // by default, not specifying default-src = '*'
-    connectSrc: [ '*', 'data:' ],
-    mediaSrc: [ '\'self\'', 'https:', 'blob:' ],
-    fontSrc: [ '\'self\'', 'data:' ],
-    imgSrc: [ '\'self\'', 'data:', 'blob:' ],
-    scriptSrc: [ '\'self\' \'unsafe-inline\' \'unsafe-eval\'', 'blob:' ],
-    styleSrc: [ '\'self\' \'unsafe-inline\'' ],
-    objectSrc: [ '\'none\'' ], // only define to allow plugins, else let defaultSrc 'none' block it
-    formAction: [ '\'self\'' ],
-    frameAncestors: [ '\'none\'' ],
-    baseUri: [ '\'self\'' ],
-    manifestSrc: [ '\'self\'' ],
-    frameSrc: [ '\'self\'' ], // instead of deprecated child-src / self because of test-embed
-    workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src
-  },
-  CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},
-  CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: [] } : {}
-)
-const baseCSP = contentSecurityPolicy({
-  directives: baseDirectives,
-  reportOnly: CONFIG.CSP.REPORT_ONLY
-})
-const embedCSP = contentSecurityPolicy({
-  directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }),
-  reportOnly: CONFIG.CSP.REPORT_ONLY
-})
-// ---------------------------------------------------------------------------
-export {
-  baseCSP,
-  embedCSP
-}

diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts deleted file mode 100644 index e2a75a17e..000000000 --- a/server/middlewares/csp.ts +++ /dev/null
@@ -1,40 +0,0 @@
1	import { contentSecurityPolicy } from 'helmet'
2	import { CONFIG } from '../initializers/config'
3
4	const baseDirectives = Object.assign({},
5	{
6	defaultSrc: [ '\'none\'' ], // by default, not specifying default-src = '*'
7	connectSrc: [ '*', 'data:' ],
8	mediaSrc: [ '\'self\'', 'https:', 'blob:' ],
9	fontSrc: [ '\'self\'', 'data:' ],
10	imgSrc: [ '\'self\'', 'data:', 'blob:' ],
11	scriptSrc: [ '\'self\' \'unsafe-inline\' \'unsafe-eval\'', 'blob:' ],
12	styleSrc: [ '\'self\' \'unsafe-inline\'' ],
13	objectSrc: [ '\'none\'' ], // only define to allow plugins, else let defaultSrc 'none' block it
14	formAction: [ '\'self\'' ],
15	frameAncestors: [ '\'none\'' ],
16	baseUri: [ '\'self\'' ],
17	manifestSrc: [ '\'self\'' ],
18	frameSrc: [ '\'self\'' ], // instead of deprecated child-src / self because of test-embed
19	workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src
20	},
21	CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},
22	CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: [] } : {}
23	)
24
25	const baseCSP = contentSecurityPolicy({
26	directives: baseDirectives,
27	reportOnly: CONFIG.CSP.REPORT_ONLY
28	})
29
30	const embedCSP = contentSecurityPolicy({
31	directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }),
32	reportOnly: CONFIG.CSP.REPORT_ONLY
33	})
34
35	// ---------------------------------------------------------------------------
36
37	export {
38	baseCSP,
39	embedCSP
40	}