diff options
Diffstat (limited to 'server')
-rw-r--r-- | server/initializers/checker-after-init.ts | 6 | ||||
-rw-r--r-- | server/initializers/checker-before-init.ts | 1 | ||||
-rw-r--r-- | server/initializers/constants.ts | 6 | ||||
-rw-r--r-- | server/middlewares/csp.ts | 10 |
4 files changed, 16 insertions, 7 deletions
diff --git a/server/initializers/checker-after-init.ts b/server/initializers/checker-after-init.ts index 955d55206..53124f9ec 100644 --- a/server/initializers/checker-after-init.ts +++ b/server/initializers/checker-after-init.ts | |||
@@ -34,6 +34,12 @@ async function checkActivityPubUrls () { | |||
34 | // Return an error message, or null if everything is okay | 34 | // Return an error message, or null if everything is okay |
35 | function checkConfig () { | 35 | function checkConfig () { |
36 | 36 | ||
37 | // Moved configuration keys | ||
38 | if (config.has('services.csp-logger')) { | ||
39 | logger.warn('services.csp-logger configuration has been renamed to csp.report_uri. Please update your configuration file.') | ||
40 | } | ||
41 | |||
42 | // Email verification | ||
37 | if (!Emailer.isEnabled()) { | 43 | if (!Emailer.isEnabled()) { |
38 | if (CONFIG.SIGNUP.ENABLED && CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) { | 44 | if (CONFIG.SIGNUP.ENABLED && CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) { |
39 | return 'Emailer is disabled but you require signup email verification.' | 45 | return 'Emailer is disabled but you require signup email verification.' |
diff --git a/server/initializers/checker-before-init.ts b/server/initializers/checker-before-init.ts index 230fdd356..2567d957b 100644 --- a/server/initializers/checker-before-init.ts +++ b/server/initializers/checker-before-init.ts | |||
@@ -15,6 +15,7 @@ function checkMissedConfig () { | |||
15 | 'storage.redundancy', 'storage.tmp', 'storage.playlists', | 15 | 'storage.redundancy', 'storage.tmp', 'storage.playlists', |
16 | 'log.level', | 16 | 'log.level', |
17 | 'user.video_quota', 'user.video_quota_daily', | 17 | 'user.video_quota', 'user.video_quota_daily', |
18 | 'csp.enabled', 'csp.report_only', 'csp.report_uri', | ||
18 | 'cache.previews.size', 'admin.email', 'contact_form.enabled', | 19 | 'cache.previews.size', 'admin.email', 'contact_form.enabled', |
19 | 'signup.enabled', 'signup.limit', 'signup.requires_email_verification', | 20 | 'signup.enabled', 'signup.limit', 'signup.requires_email_verification', |
20 | 'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist', | 21 | 'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist', |
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts index 0ede45620..0d9a6a512 100644 --- a/server/initializers/constants.ts +++ b/server/initializers/constants.ts | |||
@@ -229,6 +229,11 @@ const CONFIG = { | |||
229 | STRATEGIES: buildVideosRedundancy(config.get<any[]>('redundancy.videos.strategies')) | 229 | STRATEGIES: buildVideosRedundancy(config.get<any[]>('redundancy.videos.strategies')) |
230 | } | 230 | } |
231 | }, | 231 | }, |
232 | CSP: { | ||
233 | ENABLED: config.get<boolean>('csp.enabled'), | ||
234 | REPORT_ONLY: config.get<boolean>('csp.report_only'), | ||
235 | REPORT_URI: config.get<boolean>('csp.report_uri') | ||
236 | }, | ||
232 | ADMIN: { | 237 | ADMIN: { |
233 | get EMAIL () { return config.get<string>('admin.email') } | 238 | get EMAIL () { return config.get<string>('admin.email') } |
234 | }, | 239 | }, |
@@ -300,7 +305,6 @@ const CONFIG = { | |||
300 | get SECURITYTXT_CONTACT () { return config.get<string>('admin.email') } | 305 | get SECURITYTXT_CONTACT () { return config.get<string>('admin.email') } |
301 | }, | 306 | }, |
302 | SERVICES: { | 307 | SERVICES: { |
303 | get 'CSP-LOGGER' () { return config.get<string>('services.csp-logger') }, | ||
304 | TWITTER: { | 308 | TWITTER: { |
305 | get USERNAME () { return config.get<string>('services.twitter.username') }, | 309 | get USERNAME () { return config.get<string>('services.twitter.username') }, |
306 | get WHITELISTED () { return config.get<boolean>('services.twitter.whitelisted') } | 310 | get WHITELISTED () { return config.get<boolean>('services.twitter.whitelisted') } |
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts index 5fa9d1ab5..404e33b43 100644 --- a/server/middlewares/csp.ts +++ b/server/middlewares/csp.ts | |||
@@ -18,22 +18,20 @@ const baseDirectives = Object.assign({}, | |||
18 | frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed | 18 | frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed |
19 | workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src | 19 | workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src |
20 | }, | 20 | }, |
21 | CONFIG.SERVICES['CSP-LOGGER'] ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {}, | 21 | CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, |
22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} | 22 | CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} |
23 | ) | 23 | ) |
24 | 24 | ||
25 | const baseCSP = helmet.contentSecurityPolicy({ | 25 | const baseCSP = helmet.contentSecurityPolicy({ |
26 | directives: baseDirectives, | 26 | directives: baseDirectives, |
27 | browserSniff: false, | 27 | browserSniff: false, |
28 | reportOnly: true | 28 | reportOnly: CONFIG.CSP.REPORT_ONLY |
29 | }) | 29 | }) |
30 | 30 | ||
31 | const embedCSP = helmet.contentSecurityPolicy({ | 31 | const embedCSP = helmet.contentSecurityPolicy({ |
32 | directives: Object.assign(baseDirectives, { | 32 | directives: Object.assign({}, baseDirectives, { frameAncestors: ['*'] }), |
33 | frameAncestors: ['*'] | ||
34 | }), | ||
35 | browserSniff: false, // assumes a modern browser, but allows CDN in front | 33 | browserSniff: false, // assumes a modern browser, but allows CDN in front |
36 | reportOnly: true | 34 | reportOnly: CONFIG.CSP.REPORT_ONLY |
37 | }) | 35 | }) |
38 | 36 | ||
39 | // --------------------------------------------------------------------------- | 37 | // --------------------------------------------------------------------------- |