From 539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Thu, 21 Feb 2019 16:27:32 +0100 Subject: BREAKING: update CSP configuration Disable it by default and add ability to specify a custom report uri --- server/initializers/checker-after-init.ts | 6 ++++++ server/initializers/checker-before-init.ts | 1 + server/initializers/constants.ts | 6 +++++- server/middlewares/csp.ts | 10 ++++------ 4 files changed, 16 insertions(+), 7 deletions(-) (limited to 'server') diff --git a/server/initializers/checker-after-init.ts b/server/initializers/checker-after-init.ts index 955d55206..53124f9ec 100644 --- a/server/initializers/checker-after-init.ts +++ b/server/initializers/checker-after-init.ts @@ -34,6 +34,12 @@ async function checkActivityPubUrls () { // Return an error message, or null if everything is okay function checkConfig () { + // Moved configuration keys + if (config.has('services.csp-logger')) { + logger.warn('services.csp-logger configuration has been renamed to csp.report_uri. Please update your configuration file.') + } + + // Email verification if (!Emailer.isEnabled()) { if (CONFIG.SIGNUP.ENABLED && CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) { return 'Emailer is disabled but you require signup email verification.' diff --git a/server/initializers/checker-before-init.ts b/server/initializers/checker-before-init.ts index 230fdd356..2567d957b 100644 --- a/server/initializers/checker-before-init.ts +++ b/server/initializers/checker-before-init.ts @@ -15,6 +15,7 @@ function checkMissedConfig () { 'storage.redundancy', 'storage.tmp', 'storage.playlists', 'log.level', 'user.video_quota', 'user.video_quota_daily', + 'csp.enabled', 'csp.report_only', 'csp.report_uri', 'cache.previews.size', 'admin.email', 'contact_form.enabled', 'signup.enabled', 'signup.limit', 'signup.requires_email_verification', 'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist', diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts index 0ede45620..0d9a6a512 100644 --- a/server/initializers/constants.ts +++ b/server/initializers/constants.ts @@ -229,6 +229,11 @@ const CONFIG = { STRATEGIES: buildVideosRedundancy(config.get('redundancy.videos.strategies')) } }, + CSP: { + ENABLED: config.get('csp.enabled'), + REPORT_ONLY: config.get('csp.report_only'), + REPORT_URI: config.get('csp.report_uri') + }, ADMIN: { get EMAIL () { return config.get('admin.email') } }, @@ -300,7 +305,6 @@ const CONFIG = { get SECURITYTXT_CONTACT () { return config.get('admin.email') } }, SERVICES: { - get 'CSP-LOGGER' () { return config.get('services.csp-logger') }, TWITTER: { get USERNAME () { return config.get('services.twitter.username') }, get WHITELISTED () { return config.get('services.twitter.whitelisted') } diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts index 5fa9d1ab5..404e33b43 100644 --- a/server/middlewares/csp.ts +++ b/server/middlewares/csp.ts @@ -18,22 +18,20 @@ const baseDirectives = Object.assign({}, frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src }, - CONFIG.SERVICES['CSP-LOGGER'] ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {}, + CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} ) const baseCSP = helmet.contentSecurityPolicy({ directives: baseDirectives, browserSniff: false, - reportOnly: true + reportOnly: CONFIG.CSP.REPORT_ONLY }) const embedCSP = helmet.contentSecurityPolicy({ - directives: Object.assign(baseDirectives, { - frameAncestors: ['*'] - }), + directives: Object.assign({}, baseDirectives, { frameAncestors: ['*'] }), browserSniff: false, // assumes a modern browser, but allows CDN in front - reportOnly: true + reportOnly: CONFIG.CSP.REPORT_ONLY }) // --------------------------------------------------------------------------- -- cgit v1.2.3