supernets/hardlounge
supernets/hardlounge
4
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Harden content security policy even further

Browse Source
This commit is contained in:
Pavel Djundik 2017-12-07 20:45:45 +02:00
parent f9be519c2f
commit fb0f68f8a5
1 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/server.js
View File

@ -193,19 +193,23 @@ function index(req, res, next) {
} }
const policies = [ const policies = [
"default-src *", "default-src 'none'", // default to nothing
"connect-src 'self' ws: wss:", "form-action 'none'", // no default-src fallback
"style-src * 'unsafe-inline'", "connect-src 'self' ws: wss:", // allow self for polling; websockets
"script-src 'self'", "style-src 'self' 'unsafe-inline'", // allow inline due to use in irc hex colors
"child-src 'self'", "script-src 'self'", // javascript
"object-src 'none'", "worker-src 'self'", // service worker
"form-action 'none'", "manifest-src 'self'", // manifest.json
"font-src 'self' https:", // allow loading fonts from secure sites (e.g. google fonts)
"media-src 'self' https:", // self for notification sound; allow https media (audio previews)
]; ];
// If prefetch is enabled, but storage is not, we have to allow mixed content // If prefetch is enabled, but storage is not, we have to allow mixed content
if (Helper.config.prefetchStorage || !Helper.config.prefetch) { if (Helper.config.prefetchStorage || !Helper.config.prefetch) {
policies.push("img-src 'self'"); policies.push("img-src 'self'");
policies.unshift("block-all-mixed-content"); policies.unshift("block-all-mixed-content");
} else {
policies.push("img-src http: https:");
} }
res.setHeader("Content-Type", "text/html"); res.setHeader("Content-Type", "text/html");