Merge pull request #292 from thelounge/xpaw/csp

Add security headers to minimize XSS damage
This commit is contained in:
Jérémie Astori 2016-05-08 00:42:05 -04:00
commit c7fb388323
2 changed files with 8 additions and 1 deletions

View File

@ -14,7 +14,7 @@ function uri(text) {
return url; return url;
} }
var split = url.split("<"); var split = url.split("<");
url = "<a href='" + split[0].replace(/^www/, "//www") + "' target='_blank'>" + split[0] + "</a>"; url = "<a href='" + split[0].replace(/^www/, "//www") + "' target='_blank' rel='noopener'>" + split[0] + "</a>";
if (split.length > 1) { if (split.length > 1) {
url += "<" + split.slice(1).join("<"); url += "<" + split.slice(1).join("<");
} }

View File

@ -17,6 +17,7 @@ module.exports = function(options) {
config = _.extend(config, options); config = _.extend(config, options);
var app = express() var app = express()
.use(allRequests)
.use(index) .use(index)
.use(express.static("client")); .use(express.static("client"));
@ -80,6 +81,11 @@ function getClientIp(req) {
} }
} }
function allRequests(req, res, next) {
res.setHeader("X-Content-Type-Options", "nosniff");
return next();
}
function index(req, res, next) { function index(req, res, next) {
if (req.url.split("?")[0] !== "/") { if (req.url.split("?")[0] !== "/") {
return next(); return next();
@ -91,6 +97,7 @@ function index(req, res, next) {
config config
); );
var template = _.template(file); var template = _.template(file);
res.setHeader("Content-Security-Policy", "default-src *; style-src * 'unsafe-inline'; script-src 'self'; child-src 'none'; object-src 'none'; form-action 'none'; referrer no-referrer;");
res.setHeader("Content-Type", "text/html"); res.setHeader("Content-Type", "text/html");
res.writeHead(200); res.writeHead(200);
res.end(template(data)); res.end(template(data));