mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-25 11:16:31 -05:00
Tighten up default Content-Security-Policy
This commit changes the - default-src to none, so everything is disallowed by default - base-uri, connect-uri and font-src to self, so these are restricted to the current origin - frame-src to allow SlideShare, Vimeo and YouTube - script-src to the specific paths that are used by HedgeDoc to serve scripts. This explicitly does not include the /uploads route - style-src to the specific paths that are used by HedgeDoc to serve styles - Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
parent
ed8119d314
commit
9499add64c
1 changed files with 17 additions and 8 deletions
25
lib/csp.js
25
lib/csp.js
|
@ -4,11 +4,22 @@ const { v4: uuidv4 } = require('uuid')
|
|||
const CspStrategy = {}
|
||||
|
||||
const defaultDirectives = {
|
||||
defaultSrc: ['\'self\''],
|
||||
scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net'],
|
||||
imgSrc: ['*'],
|
||||
styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
|
||||
fontSrc: ['\'self\'', 'data:', 'https://public.slidesharecdn.com'],
|
||||
defaultSrc: ['\'none\''],
|
||||
baseUri: ['\'self\''],
|
||||
connectSrc: ['\'self\''],
|
||||
fontSrc: ['\'self\''],
|
||||
frameSrc: ['https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'],
|
||||
imgSrc: ['*'], // we allow using arbitrary images
|
||||
scriptSrc: [
|
||||
config.serverURL + '/build/',
|
||||
config.serverURL + '/js/',
|
||||
config.serverURL + '/config',
|
||||
'https://gist.github.com/',
|
||||
'https://vimeo.com/api/oembed.json',
|
||||
'https://www.slideshare.net/api/oembed/2',
|
||||
'\'unsafe-inline\'' // this is ignored by browsers supporting nonces/hashes
|
||||
],
|
||||
styleSrc: [config.serverURL + '/build/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
|
||||
objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
|
||||
mediaSrc: ['*'],
|
||||
childSrc: ['*'],
|
||||
|
@ -43,9 +54,7 @@ CspStrategy.computeDirectives = function () {
|
|||
mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
|
||||
mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
|
||||
mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)
|
||||
if (!areAllInlineScriptsAllowed(directives)) {
|
||||
addInlineScriptExceptions(directives)
|
||||
}
|
||||
addInlineScriptExceptions(directives)
|
||||
addUpgradeUnsafeRequestsOptionTo(directives)
|
||||
addReportURI(directives)
|
||||
return directives
|
||||
|
|
Loading…
Reference in a new issue