diff options
Diffstat (limited to 'server')
-rw-r--r-- | server/middlewares/csp.ts | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts index a0ed3710b..8b919af0d 100644 --- a/server/middlewares/csp.ts +++ b/server/middlewares/csp.ts | |||
@@ -8,19 +8,18 @@ const baseDirectives = Object.assign({}, | |||
8 | mediaSrc: ["'self'", 'https:', 'blob:'], | 8 | mediaSrc: ["'self'", 'https:', 'blob:'], |
9 | fontSrc: ["'self'", 'data:'], | 9 | fontSrc: ["'self'", 'data:'], |
10 | imgSrc: ["'self'", 'data:'], | 10 | imgSrc: ["'self'", 'data:'], |
11 | scriptSrc: ["'self' 'unsafe-inline'"], | 11 | scriptSrc: ["'self' 'unsafe-inline' 'unsafe-eval'"], |
12 | styleSrc: ["'self' 'unsafe-inline'"], | 12 | styleSrc: ["'self' 'unsafe-inline'"], |
13 | // objectSrc: ["'none'"], // only define to allow plugins, else let defaultSrc 'none' block it | 13 | objectSrc: ["'none'"], // only define to allow plugins, else let defaultSrc 'none' block it |
14 | formAction: ["'self'"], | 14 | formAction: ["'self'"], |
15 | frameAncestors: ["'none'"], | 15 | frameAncestors: ["'none'"], |
16 | baseUri: ["'self'"], | 16 | baseUri: ["'self'"], |
17 | pluginTypes: ["'none'"], | ||
18 | manifestSrc: ["'self'"], | 17 | manifestSrc: ["'self'"], |
19 | frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed | 18 | frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed |
20 | workerSrc: ["'self'"], // instead of deprecated child-src | 19 | workerSrc: ["'self'"] // instead of deprecated child-src |
21 | upgradeInsecureRequests: true | ||
22 | }, | 20 | }, |
23 | (CONFIG.SERVICES['CSP-LOGGER'] != null) ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {} | 21 | CONFIG.SERVICES['CSP-LOGGER'] ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {}, |
22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} | ||
24 | ) | 23 | ) |
25 | 24 | ||
26 | const baseCSP = helmet.contentSecurityPolicy({ | 25 | const baseCSP = helmet.contentSecurityPolicy({ |