mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-25 11:16:31 -05:00
CSP: Workaround for ws:// protocol
The spec allows wss:// for 'self', but not ws:// :(
This commit is contained in:
parent
0cbdc852cb
commit
996cb37991
1 changed files with 12 additions and 2 deletions
14
app.js
14
app.js
|
@ -116,6 +116,15 @@ app.use((req, res, next) => {
|
|||
|
||||
// use Content-Security-Policy to limit XSS, dangerous plugins, etc.
|
||||
// https://helmetjs.github.io/docs/csp/
|
||||
function getCspNonce (req, res) {
|
||||
return "'nonce-" + res.locals.nonce + "'"
|
||||
}
|
||||
|
||||
function getCspWebSocketUrl (req, res) {
|
||||
// wss: is included in 'self', but 'ws:' is not
|
||||
return (req.protocol === 'http' ? 'ws:' : 'wss:') + config.serverurl.replace(/https?:/, "")
|
||||
}
|
||||
|
||||
if (config.csp.enable) {
|
||||
var cdnDirectives = {
|
||||
scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'],
|
||||
|
@ -125,14 +134,15 @@ if (config.csp.enable) {
|
|||
var directives = {}
|
||||
for (var propertyName in config.csp.directives) {
|
||||
if (config.csp.directives.hasOwnProperty(propertyName)) {
|
||||
var directive = config.csp.directives[propertyName]
|
||||
var directive = [].concat(config.csp.directives[propertyName])
|
||||
if (config.usecdn && !!cdnDirectives[propertyName]) {
|
||||
directive = directive.concat(cdnDirectives[propertyName])
|
||||
}
|
||||
directives[propertyName] = directive
|
||||
}
|
||||
}
|
||||
directives.scriptSrc.push(function (req, res) { return "'nonce-" + res.locals.nonce + "'" })
|
||||
directives.scriptSrc.push(getCspNonce)
|
||||
directives.connectSrc.push(getCspWebSocketUrl)
|
||||
if (config.csp.upgradeInsecureRequests === 'auto') {
|
||||
directives.upgradeInsecureRequests = config.usessl === 'true'
|
||||
} else {
|
||||
|
|
Loading…
Reference in a new issue