diff options
Diffstat (limited to 'server')
-rw-r--r-- | server/initializers/config.ts | 2 | ||||
-rw-r--r-- | server/middlewares/csp.ts | 4 |
2 files changed, 2 insertions, 4 deletions
diff --git a/server/initializers/config.ts b/server/initializers/config.ts index 04ba605b6..b40e525a5 100644 --- a/server/initializers/config.ts +++ b/server/initializers/config.ts | |||
@@ -125,7 +125,7 @@ const CONFIG = { | |||
125 | CSP: { | 125 | CSP: { |
126 | ENABLED: config.get<boolean>('csp.enabled'), | 126 | ENABLED: config.get<boolean>('csp.enabled'), |
127 | REPORT_ONLY: config.get<boolean>('csp.report_only'), | 127 | REPORT_ONLY: config.get<boolean>('csp.report_only'), |
128 | REPORT_URI: config.get<boolean>('csp.report_uri') | 128 | REPORT_URI: config.get<string>('csp.report_uri') |
129 | }, | 129 | }, |
130 | TRACKER: { | 130 | TRACKER: { |
131 | ENABLED: config.get<boolean>('tracker.enabled'), | 131 | ENABLED: config.get<boolean>('tracker.enabled'), |
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts index f5de69603..0ee44bf47 100644 --- a/server/middlewares/csp.ts +++ b/server/middlewares/csp.ts | |||
@@ -19,18 +19,16 @@ const baseDirectives = Object.assign({}, | |||
19 | workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src | 19 | workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src |
20 | }, | 20 | }, |
21 | CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, | 21 | CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, |
22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} | 22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: [] } : {} |
23 | ) | 23 | ) |
24 | 24 | ||
25 | const baseCSP = helmet.contentSecurityPolicy({ | 25 | const baseCSP = helmet.contentSecurityPolicy({ |
26 | directives: baseDirectives, | 26 | directives: baseDirectives, |
27 | browserSniff: false, | ||
28 | reportOnly: CONFIG.CSP.REPORT_ONLY | 27 | reportOnly: CONFIG.CSP.REPORT_ONLY |
29 | }) | 28 | }) |
30 | 29 | ||
31 | const embedCSP = helmet.contentSecurityPolicy({ | 30 | const embedCSP = helmet.contentSecurityPolicy({ |
32 | directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }), | 31 | directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }), |
33 | browserSniff: false, // assumes a modern browser, but allows CDN in front | ||
34 | reportOnly: CONFIG.CSP.REPORT_ONLY | 32 | reportOnly: CONFIG.CSP.REPORT_ONLY |
35 | }) | 33 | }) |
36 | 34 | ||