From 539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Thu, 21 Feb 2019 16:27:32 +0100 Subject: BREAKING: update CSP configuration Disable it by default and add ability to specify a custom report uri --- server/middlewares/csp.ts | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'server/middlewares') diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts index 5fa9d1ab5..404e33b43 100644 --- a/server/middlewares/csp.ts +++ b/server/middlewares/csp.ts @@ -18,22 +18,20 @@ const baseDirectives = Object.assign({}, frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src }, - CONFIG.SERVICES['CSP-LOGGER'] ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {}, + CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} ) const baseCSP = helmet.contentSecurityPolicy({ directives: baseDirectives, browserSniff: false, - reportOnly: true + reportOnly: CONFIG.CSP.REPORT_ONLY }) const embedCSP = helmet.contentSecurityPolicy({ - directives: Object.assign(baseDirectives, { - frameAncestors: ['*'] - }), + directives: Object.assign({}, baseDirectives, { frameAncestors: ['*'] }), browserSniff: false, // assumes a modern browser, but allows CDN in front - reportOnly: true + reportOnly: CONFIG.CSP.REPORT_ONLY }) // --------------------------------------------------------------------------- -- cgit v1.2.3