forks/peertube
1
0
Fork 0
Code Releases Activity

Fix CSP

Browse source
This commit is contained in:
Chocobozzz 2024-02-27 11:18:19 +01:00
parent a172cadee4
commit c75381208f
No known key found for this signature in database
GPG key ID: 583A612D890159BE
1 changed files with 9 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

11
server/core/middlewares/csp.ts
View file

@ -9,6 +9,7 @@ const baseDirectives = Object.assign({},
fontSrc: [ '\'self\'', 'data:' ],
imgSrc: [ '\'self\'', 'data:', 'blob:' ],
scriptSrc: [ '\'self\' \'unsafe-inline\' \'unsafe-eval\'', 'blob:' ],
scriptSrcAttr: [ '\'unsafe-inline\'' ],
styleSrc: [ '\'self\' \'unsafe-inline\'' ],
objectSrc: [ '\'none\'' ], // only define to allow plugins, else let defaultSrc 'none' block it
formAction: [ '\'self\'' ],
@ -18,8 +19,14 @@ const baseDirectives = Object.assign({},
frameSrc: [ '\'self\'' ], // instead of deprecated child-src / self because of test-embed
workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src
},
CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},
CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: [] } : {}
CONFIG.CSP.REPORT_URI
? { reportUri: CONFIG.CSP.REPORT_URI }
: {},
CONFIG.WEBSERVER.SCHEME === 'https'
? { upgradeInsecureRequests: [] }
: {}
)
const baseCSP = contentSecurityPolicy({