CSP: Add nonce to slide view inline JS

2017-10-18 17:48:53 +02:00 · 2017-10-18 17:48:53 +02:00 · 080436aebb
parent 5d2d3ec875
commit 080436aebb
4 changed files with 11 additions and 2 deletions
--- a/app.js
+++ b/app.js
@ -12,6 +12,7 @@ var session = require('express-session')
 var SequelizeStore = require('connect-session-sequelize')(session.Store)
 var fs = require('fs')
 var path = require('path')
+var uuid = require('uuid')

 var morgan = require('morgan')
 var passportSocketIo = require('passport.socketio')
@ -108,6 +109,11 @@ if (config.hsts.enable) {
  logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
 }

+app.use((req, res, next) => {
+  res.locals.nonce = uuid.v4()
+  next()
+})
+
 // use Content-Security-Policy to limit XSS, dangerous plugins, etc.
 // https://helmetjs.github.io/docs/csp/
 if (config.csp.enable) {
@ -126,6 +132,7 @@ if (config.csp.enable) {
      directives[propertyName] = directive;
    }
  }
+  directives.scriptSrc.push(function (req, res) { return "'nonce-" + res.locals.nonce + "'" })
  if(config.csp.upgradeInsecureRequests === 'auto') {
    directives.upgradeInsecureRequests = config.usessl === 'true'
  } else {
--- a/lib/response.js
+++ b/lib/response.js
@ -584,7 +584,8 @@ function showPublishSlide (req, res, next) {
        lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null,
        robots: meta.robots || false, // default allow robots
        GA: meta.GA,
-        disqus: meta.disqus
+        disqus: meta.disqus,
+        cspNonce: res.locals.nonce
      }
      return renderPublishSlide(data, res)
    }).catch(function (err) {
--- a/package.json
+++ b/package.json
@ -114,6 +114,7 @@
    "tedious": "^1.14.0",
    "to-markdown": "^3.0.3",
    "toobusy-js": "^0.5.1",
+    "uuid": "^3.1.0",
    "uws": "~0.14.1",
    "validator": "^6.2.0",
    "velocity-animate": "^1.4.0",
--- a/public/views/slide.ejs
+++ b/public/views/slide.ejs
@ -41,7 +41,7 @@
        <link rel="stylesheet" href="<%- url %>/css/slide.css">

        <!-- Printing and PDF exports -->
-        <script>
+        <script nonce="<%= cspNonce %>">
            var link = document.createElement( 'link' );
            link.rel = 'stylesheet';
            link.type = 'text/css';