diff options
Diffstat (limited to 'server/middlewares/csp.ts')
| -rw-r--r-- | server/middlewares/csp.ts | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts index f5de69603..0ee44bf47 100644 --- a/server/middlewares/csp.ts +++ b/server/middlewares/csp.ts | |||
| @@ -19,18 +19,16 @@ const baseDirectives = Object.assign({}, | |||
| 19 | workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src | 19 | workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src |
| 20 | }, | 20 | }, |
| 21 | CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, | 21 | CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, |
| 22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} | 22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: [] } : {} |
| 23 | ) | 23 | ) |
| 24 | 24 | ||
| 25 | const baseCSP = helmet.contentSecurityPolicy({ | 25 | const baseCSP = helmet.contentSecurityPolicy({ |
| 26 | directives: baseDirectives, | 26 | directives: baseDirectives, |
| 27 | browserSniff: false, | ||
| 28 | reportOnly: CONFIG.CSP.REPORT_ONLY | 27 | reportOnly: CONFIG.CSP.REPORT_ONLY |
| 29 | }) | 28 | }) |
| 30 | 29 | ||
| 31 | const embedCSP = helmet.contentSecurityPolicy({ | 30 | const embedCSP = helmet.contentSecurityPolicy({ |
| 32 | directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }), | 31 | directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }), |
| 33 | browserSniff: false, // assumes a modern browser, but allows CDN in front | ||
| 34 | reportOnly: CONFIG.CSP.REPORT_ONLY | 32 | reportOnly: CONFIG.CSP.REPORT_ONLY |
| 35 | }) | 33 | }) |
| 36 | 34 | ||