Merge pull request #292 from thelounge/xpaw/csp
Add security headers to minimize XSS damage
This commit is contained in:
commit
c7fb388323
@ -14,7 +14,7 @@ function uri(text) {
|
|||||||
return url;
|
return url;
|
||||||
}
|
}
|
||||||
var split = url.split("<");
|
var split = url.split("<");
|
||||||
url = "<a href='" + split[0].replace(/^www/, "//www") + "' target='_blank'>" + split[0] + "</a>";
|
url = "<a href='" + split[0].replace(/^www/, "//www") + "' target='_blank' rel='noopener'>" + split[0] + "</a>";
|
||||||
if (split.length > 1) {
|
if (split.length > 1) {
|
||||||
url += "<" + split.slice(1).join("<");
|
url += "<" + split.slice(1).join("<");
|
||||||
}
|
}
|
||||||
|
@ -17,6 +17,7 @@ module.exports = function(options) {
|
|||||||
config = _.extend(config, options);
|
config = _.extend(config, options);
|
||||||
|
|
||||||
var app = express()
|
var app = express()
|
||||||
|
.use(allRequests)
|
||||||
.use(index)
|
.use(index)
|
||||||
.use(express.static("client"));
|
.use(express.static("client"));
|
||||||
|
|
||||||
@ -80,6 +81,11 @@ function getClientIp(req) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function allRequests(req, res, next) {
|
||||||
|
res.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
|
return next();
|
||||||
|
}
|
||||||
|
|
||||||
function index(req, res, next) {
|
function index(req, res, next) {
|
||||||
if (req.url.split("?")[0] !== "/") {
|
if (req.url.split("?")[0] !== "/") {
|
||||||
return next();
|
return next();
|
||||||
@ -91,6 +97,7 @@ function index(req, res, next) {
|
|||||||
config
|
config
|
||||||
);
|
);
|
||||||
var template = _.template(file);
|
var template = _.template(file);
|
||||||
|
res.setHeader("Content-Security-Policy", "default-src *; style-src * 'unsafe-inline'; script-src 'self'; child-src 'none'; object-src 'none'; form-action 'none'; referrer no-referrer;");
|
||||||
res.setHeader("Content-Type", "text/html");
|
res.setHeader("Content-Type", "text/html");
|
||||||
res.writeHead(200);
|
res.writeHead(200);
|
||||||
res.end(template(data));
|
res.end(template(data));
|
||||||
|
Loading…
Reference in New Issue
Block a user