Harden content security policy even further
This commit is contained in:
parent
f9be519c2f
commit
fb0f68f8a5
@ -193,19 +193,23 @@ function index(req, res, next) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
const policies = [
|
const policies = [
|
||||||
"default-src *",
|
"default-src 'none'", // default to nothing
|
||||||
"connect-src 'self' ws: wss:",
|
"form-action 'none'", // no default-src fallback
|
||||||
"style-src * 'unsafe-inline'",
|
"connect-src 'self' ws: wss:", // allow self for polling; websockets
|
||||||
"script-src 'self'",
|
"style-src 'self' 'unsafe-inline'", // allow inline due to use in irc hex colors
|
||||||
"child-src 'self'",
|
"script-src 'self'", // javascript
|
||||||
"object-src 'none'",
|
"worker-src 'self'", // service worker
|
||||||
"form-action 'none'",
|
"manifest-src 'self'", // manifest.json
|
||||||
|
"font-src 'self' https:", // allow loading fonts from secure sites (e.g. google fonts)
|
||||||
|
"media-src 'self' https:", // self for notification sound; allow https media (audio previews)
|
||||||
];
|
];
|
||||||
|
|
||||||
// If prefetch is enabled, but storage is not, we have to allow mixed content
|
// If prefetch is enabled, but storage is not, we have to allow mixed content
|
||||||
if (Helper.config.prefetchStorage || !Helper.config.prefetch) {
|
if (Helper.config.prefetchStorage || !Helper.config.prefetch) {
|
||||||
policies.push("img-src 'self'");
|
policies.push("img-src 'self'");
|
||||||
policies.unshift("block-all-mixed-content");
|
policies.unshift("block-all-mixed-content");
|
||||||
|
} else {
|
||||||
|
policies.push("img-src http: https:");
|
||||||
}
|
}
|
||||||
|
|
||||||
res.setHeader("Content-Type", "text/html");
|
res.setHeader("Content-Type", "text/html");
|
||||||
|
Loading…
Reference in New Issue
Block a user