1 files changed, 15 insertions, 15 deletions
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts
index d11d70790..f5de69603 100644
--- a/server/middlewares/csp.ts
+++ b/server/middlewares/csp.ts
@@ -3,20 +3,20 @@ import { CONFIG } from '../initializers/config'
 const baseDirectives = Object.assign({},
  {
-    defaultSrc: ["'none'"], // by default, not specifying default-src = '*'
+    defaultSrc: [ '\'none\'' ], // by default, not specifying default-src = '*'
-    connectSrc: ['*', 'data:'],
+    connectSrc: [ '*', 'data:' ],
-    mediaSrc: ["'self'", 'https:', 'blob:'],
+    mediaSrc: [ '\'self\'', 'https:', 'blob:' ],
-    fontSrc: ["'self'", 'data:'],
+    fontSrc: [ '\'self\'', 'data:' ],
-    imgSrc: ["'self'", 'data:', 'blob:'],
+    imgSrc: [ '\'self\'', 'data:', 'blob:' ],
-    scriptSrc: ["'self' 'unsafe-inline' 'unsafe-eval'", 'blob:'],
+    scriptSrc: [ '\'self\' \'unsafe-inline\' \'unsafe-eval\'', 'blob:' ],
-    styleSrc: ["'self' 'unsafe-inline'"],
+    styleSrc: [ '\'self\' \'unsafe-inline\'' ],
-    objectSrc: ["'none'"], // only define to allow plugins, else let defaultSrc 'none' block it
+    objectSrc: [ '\'none\'' ], // only define to allow plugins, else let defaultSrc 'none' block it
-    formAction: ["'self'"],
+    formAction: [ '\'self\'' ],
-    frameAncestors: ["'none'"],
+    frameAncestors: [ '\'none\'' ],
-    baseUri: ["'self'"],
+    baseUri: [ '\'self\'' ],
-    manifestSrc: ["'self'"],
+    manifestSrc: [ '\'self\'' ],
-    frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed
+    frameSrc: [ '\'self\'' ], // instead of deprecated child-src / self because of test-embed
-    workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src
+    workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src
  },
  CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},
  CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {}
@@ -29,7 +29,7 @@ const baseCSP = helmet.contentSecurityPolicy({
 })
 const embedCSP = helmet.contentSecurityPolicy({
-  directives: Object.assign({}, baseDirectives, { frameAncestors: ['*'] }),
+  directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }),
  browserSniff: false, // assumes a modern browser, but allows CDN in front
  reportOnly: CONFIG.CSP.REPORT_ONLY
 })

diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts index d11d70790..f5de69603 100644 --- a/server/middlewares/csp.ts +++ b/server/middlewares/csp.ts
@@ -3,20 +3,20 @@ import { CONFIG } from '../initializers/config'
3		3
4	const baseDirectives = Object.assign({},	4	const baseDirectives = Object.assign({},
5	{	5	{
6	defaultSrc: ["'none'"], // by default, not specifying default-src = '*'	6	defaultSrc: [ '\'none\'' ], // by default, not specifying default-src = '*'
7	connectSrc: ['*', 'data:'],	7	connectSrc: [ '*', 'data:' ],
8	mediaSrc: ["'self'", 'https:', 'blob:'],	8	mediaSrc: [ '\'self\'', 'https:', 'blob:' ],
9	fontSrc: ["'self'", 'data:'],	9	fontSrc: [ '\'self\'', 'data:' ],
10	imgSrc: ["'self'", 'data:', 'blob:'],	10	imgSrc: [ '\'self\'', 'data:', 'blob:' ],
11	scriptSrc: ["'self' 'unsafe-inline' 'unsafe-eval'", 'blob:'],	11	scriptSrc: [ '\'self\' \'unsafe-inline\' \'unsafe-eval\'', 'blob:' ],
12	styleSrc: ["'self' 'unsafe-inline'"],	12	styleSrc: [ '\'self\' \'unsafe-inline\'' ],
13	objectSrc: ["'none'"], // only define to allow plugins, else let defaultSrc 'none' block it	13	objectSrc: [ '\'none\'' ], // only define to allow plugins, else let defaultSrc 'none' block it
14	formAction: ["'self'"],	14	formAction: [ '\'self\'' ],
15	frameAncestors: ["'none'"],	15	frameAncestors: [ '\'none\'' ],
16	baseUri: ["'self'"],	16	baseUri: [ '\'self\'' ],
17	manifestSrc: ["'self'"],	17	manifestSrc: [ '\'self\'' ],
18	frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed	18	frameSrc: [ '\'self\'' ], // instead of deprecated child-src / self because of test-embed
19	workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src	19	workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src
20	},	20	},
21	CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},	21	CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},
22	CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {}	22	CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {}
@@ -29,7 +29,7 @@ const baseCSP = helmet.contentSecurityPolicy({
29	})	29	})
30		30
31	const embedCSP = helmet.contentSecurityPolicy({	31	const embedCSP = helmet.contentSecurityPolicy({
32	directives: Object.assign({}, baseDirectives, { frameAncestors: ['*'] }),	32	directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }),
33	browserSniff: false, // assumes a modern browser, but allows CDN in front	33	browserSniff: false, // assumes a modern browser, but allows CDN in front
34	reportOnly: CONFIG.CSP.REPORT_ONLY	34	reportOnly: CONFIG.CSP.REPORT_ONLY
35	})	35	})