From 9499add64c6bef1f4924916c0ca39841fec56ee7 Mon Sep 17 00:00:00 2001
From: David Mehren <git@herrmehren.de>
Date: Tue, 6 Jul 2021 21:17:56 +0200
Subject: [PATCH] Tighten up default Content-Security-Policy

This commit changes the
- default-src to none, so everything is disallowed by default
- base-uri, connect-uri and font-src to self,
  so these are restricted to the current origin
- frame-src to allow SlideShare, Vimeo and YouTube
- script-src to the specific paths that are used by HedgeDoc to serve scripts.
  This explicitly does not include the /uploads route
 - style-src to the specific paths that are used by HedgeDoc to serve styles
 -

Signed-off-by: David Mehren <git@herrmehren.de>
---
 lib/csp.js | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/lib/csp.js b/lib/csp.js
index 74404413c..fa2f95bb3 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -4,11 +4,22 @@ const { v4: uuidv4 } = require('uuid')
 const CspStrategy = {}
 
 const defaultDirectives = {
-  defaultSrc: ['\'self\''],
-  scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net'],
-  imgSrc: ['*'],
-  styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
-  fontSrc: ['\'self\'', 'data:', 'https://public.slidesharecdn.com'],
+  defaultSrc: ['\'none\''],
+  baseUri: ['\'self\''],
+  connectSrc: ['\'self\''],
+  fontSrc: ['\'self\''],
+  frameSrc: ['https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'],
+  imgSrc: ['*'], // we allow using arbitrary images
+  scriptSrc: [
+    config.serverURL + '/build/',
+    config.serverURL + '/js/',
+    config.serverURL + '/config',
+    'https://gist.github.com/',
+    'https://vimeo.com/api/oembed.json',
+    'https://www.slideshare.net/api/oembed/2',
+    '\'unsafe-inline\'' // this is ignored by browsers supporting nonces/hashes
+  ],
+  styleSrc: [config.serverURL + '/build/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
   objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
   mediaSrc: ['*'],
   childSrc: ['*'],
@@ -43,9 +54,7 @@ CspStrategy.computeDirectives = function () {
   mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
   mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
   mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)
-  if (!areAllInlineScriptsAllowed(directives)) {
-    addInlineScriptExceptions(directives)
-  }
+  addInlineScriptExceptions(directives)
   addUpgradeUnsafeRequestsOptionTo(directives)
   addReportURI(directives)
   return directives