diff options
Diffstat (limited to 'server/middlewares')
| -rw-r--r-- | server/middlewares/csp.ts | 4 | ||||
| -rw-r--r-- | server/middlewares/validators/videos/videos.ts | 34 |
2 files changed, 19 insertions, 19 deletions
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts index f5de69603..0ee44bf47 100644 --- a/server/middlewares/csp.ts +++ b/server/middlewares/csp.ts | |||
| @@ -19,18 +19,16 @@ const baseDirectives = Object.assign({}, | |||
| 19 | workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src | 19 | workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src |
| 20 | }, | 20 | }, |
| 21 | CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, | 21 | CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, |
| 22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} | 22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: [] } : {} |
| 23 | ) | 23 | ) |
| 24 | 24 | ||
| 25 | const baseCSP = helmet.contentSecurityPolicy({ | 25 | const baseCSP = helmet.contentSecurityPolicy({ |
| 26 | directives: baseDirectives, | 26 | directives: baseDirectives, |
| 27 | browserSniff: false, | ||
| 28 | reportOnly: CONFIG.CSP.REPORT_ONLY | 27 | reportOnly: CONFIG.CSP.REPORT_ONLY |
| 29 | }) | 28 | }) |
| 30 | 29 | ||
| 31 | const embedCSP = helmet.contentSecurityPolicy({ | 30 | const embedCSP = helmet.contentSecurityPolicy({ |
| 32 | directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }), | 31 | directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }), |
| 33 | browserSniff: false, // assumes a modern browser, but allows CDN in front | ||
| 34 | reportOnly: CONFIG.CSP.REPORT_ONLY | 32 | reportOnly: CONFIG.CSP.REPORT_ONLY |
| 35 | }) | 33 | }) |
| 36 | 34 | ||
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts index 40a34d3b8..b022b2c23 100644 --- a/server/middlewares/validators/videos/videos.ts +++ b/server/middlewares/validators/videos/videos.ts | |||
| @@ -1,6 +1,9 @@ | |||
| 1 | import * as express from 'express' | 1 | import * as express from 'express' |
| 2 | import { body, param, query, ValidationChain } from 'express-validator' | 2 | import { body, param, query, ValidationChain } from 'express-validator' |
| 3 | import { UserRight, VideoChangeOwnershipStatus, VideoPrivacy } from '../../../../shared' | 3 | import { getServerActor } from '@server/models/application/application' |
| 4 | import { MVideoFullLight } from '@server/types/models' | ||
| 5 | import { ServerErrorCode, UserRight, VideoChangeOwnershipStatus, VideoPrivacy } from '../../../../shared' | ||
| 6 | import { VideoChangeOwnershipAccept } from '../../../../shared/models/videos/video-change-ownership-accept.model' | ||
| 4 | import { | 7 | import { |
| 5 | isBooleanValid, | 8 | isBooleanValid, |
| 6 | isDateValid, | 9 | isDateValid, |
| @@ -12,6 +15,8 @@ import { | |||
| 12 | toIntOrNull, | 15 | toIntOrNull, |
| 13 | toValueOrNull | 16 | toValueOrNull |
| 14 | } from '../../../helpers/custom-validators/misc' | 17 | } from '../../../helpers/custom-validators/misc' |
| 18 | import { isNSFWQueryValid, isNumberArray, isStringArray } from '../../../helpers/custom-validators/search' | ||
| 19 | import { checkUserCanTerminateOwnershipChange, doesChangeVideoOwnershipExist } from '../../../helpers/custom-validators/video-ownership' | ||
| 15 | import { | 20 | import { |
| 16 | isScheduleVideoUpdatePrivacyValid, | 21 | isScheduleVideoUpdatePrivacyValid, |
| 17 | isVideoCategoryValid, | 22 | isVideoCategoryValid, |
| @@ -27,29 +32,24 @@ import { | |||
| 27 | isVideoSupportValid, | 32 | isVideoSupportValid, |
| 28 | isVideoTagsValid | 33 | isVideoTagsValid |
| 29 | } from '../../../helpers/custom-validators/videos' | 34 | } from '../../../helpers/custom-validators/videos' |
| 35 | import { cleanUpReqFiles } from '../../../helpers/express-utils' | ||
| 30 | import { getDurationFromVideoFile } from '../../../helpers/ffmpeg-utils' | 36 | import { getDurationFromVideoFile } from '../../../helpers/ffmpeg-utils' |
| 31 | import { logger } from '../../../helpers/logger' | 37 | import { logger } from '../../../helpers/logger' |
| 32 | import { CONSTRAINTS_FIELDS, OVERVIEWS } from '../../../initializers/constants' | ||
| 33 | import { authenticatePromiseIfNeeded } from '../../oauth' | ||
| 34 | import { areValidationErrors } from '../utils' | ||
| 35 | import { cleanUpReqFiles } from '../../../helpers/express-utils' | ||
| 36 | import { VideoModel } from '../../../models/video/video' | ||
| 37 | import { checkUserCanTerminateOwnershipChange, doesChangeVideoOwnershipExist } from '../../../helpers/custom-validators/video-ownership' | ||
| 38 | import { VideoChangeOwnershipAccept } from '../../../../shared/models/videos/video-change-ownership-accept.model' | ||
| 39 | import { AccountModel } from '../../../models/account/account' | ||
| 40 | import { isNSFWQueryValid, isNumberArray, isStringArray } from '../../../helpers/custom-validators/search' | ||
| 41 | import { CONFIG } from '../../../initializers/config' | ||
| 42 | import { isLocalVideoAccepted } from '../../../lib/moderation' | ||
| 43 | import { Hooks } from '../../../lib/plugins/hooks' | ||
| 44 | import { | 38 | import { |
| 45 | checkUserCanManageVideo, | 39 | checkUserCanManageVideo, |
| 46 | doesVideoChannelOfAccountExist, | 40 | doesVideoChannelOfAccountExist, |
| 47 | doesVideoExist, | 41 | doesVideoExist, |
| 48 | doesVideoFileOfVideoExist | 42 | doesVideoFileOfVideoExist |
| 49 | } from '../../../helpers/middlewares' | 43 | } from '../../../helpers/middlewares' |
| 50 | import { MVideoFullLight } from '@server/types/models' | ||
| 51 | import { getVideoWithAttributes } from '../../../helpers/video' | 44 | import { getVideoWithAttributes } from '../../../helpers/video' |
| 52 | import { getServerActor } from '@server/models/application/application' | 45 | import { CONFIG } from '../../../initializers/config' |
| 46 | import { CONSTRAINTS_FIELDS, OVERVIEWS } from '../../../initializers/constants' | ||
| 47 | import { isLocalVideoAccepted } from '../../../lib/moderation' | ||
| 48 | import { Hooks } from '../../../lib/plugins/hooks' | ||
| 49 | import { AccountModel } from '../../../models/account/account' | ||
| 50 | import { VideoModel } from '../../../models/video/video' | ||
| 51 | import { authenticatePromiseIfNeeded } from '../../oauth' | ||
| 52 | import { areValidationErrors } from '../utils' | ||
| 53 | 53 | ||
| 54 | const videosAddValidator = getCommonVideoEditAttributes().concat([ | 54 | const videosAddValidator = getCommonVideoEditAttributes().concat([ |
| 55 | body('videofile') | 55 | body('videofile') |
| @@ -148,7 +148,9 @@ async function checkVideoFollowConstraints (req: express.Request, res: express.R | |||
| 148 | 148 | ||
| 149 | return res.status(403) | 149 | return res.status(403) |
| 150 | .json({ | 150 | .json({ |
| 151 | error: 'Cannot get this video regarding follow constraints.' | 151 | errorCode: ServerErrorCode.DOES_NOT_RESPECT_FOLLOW_CONSTRAINTS, |
| 152 | error: 'Cannot get this video regarding follow constraints.', | ||
| 153 | originUrl: video.url | ||
| 152 | }) | 154 | }) |
| 153 | } | 155 | } |
| 154 | 156 | ||