Merge pull request #3676 from thelounge/xpaw/csp

Remove `child-src` from CSP, add `base-uri 'none'`
This commit is contained in:
Pavel Djundik 2020-01-22 10:28:44 +02:00 committed by GitHub
commit 8b04979eac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -296,12 +296,12 @@ function forceNoCacheRequest(req, res, next) {
function indexRequest(req, res) { function indexRequest(req, res) {
const policies = [ const policies = [
"default-src 'none'", // default to nothing "default-src 'none'", // default to nothing
"base-uri 'none'", // disallow <base>, has no fallback to default-src
"form-action 'self'", // 'self' to fix saving passwords in Firefox, even though login is handled in javascript "form-action 'self'", // 'self' to fix saving passwords in Firefox, even though login is handled in javascript
"connect-src 'self' ws: wss:", // allow self for polling; websockets "connect-src 'self' ws: wss:", // allow self for polling; websockets
"style-src 'self' https: 'unsafe-inline'", // allow inline due to use in irc hex colors "style-src 'self' https: 'unsafe-inline'", // allow inline due to use in irc hex colors
"script-src 'self'", // javascript "script-src 'self'", // javascript
"worker-src 'self'", // service worker "worker-src 'self'", // service worker
"child-src 'self'", // deprecated fall back for workers, Firefox <58, see #1902
"manifest-src 'self'", // manifest.json "manifest-src 'self'", // manifest.json
"font-src 'self' https:", // allow loading fonts from secure sites (e.g. google fonts) "font-src 'self' https:", // allow loading fonts from secure sites (e.g. google fonts)
"media-src 'self' https:", // self for notification sound; allow https media (audio previews) "media-src 'self' https:", // self for notification sound; allow https media (audio previews)