depau/HackMD
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

CSP: Add nonce to slide view inline JS

Browse source
This commit is contained in:
Literallie 2017-10-18 17:48:53 +02:00
parent 5d2d3ec875
commit 080436aebb
No known key found for this signature in database
GPG key ID: 7BE463C902ED152C
4 changed files with 11 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
app.js
View file

@ -12,6 +12,7 @@ var session = require('express-session')
var SequelizeStore = require('connect-session-sequelize')(session.Store) var SequelizeStore = require('connect-session-sequelize')(session.Store)
var fs = require('fs') var fs = require('fs')
var path = require('path') var path = require('path')
var uuid = require('uuid')
var morgan = require('morgan') var morgan = require('morgan')
var passportSocketIo = require('passport.socketio') var passportSocketIo = require('passport.socketio')
@ -108,6 +109,11 @@ if (config.hsts.enable) {
logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security') logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
} }
app.use((req, res, next) => {
res.locals.nonce = uuid.v4()
next()
})
// use Content-Security-Policy to limit XSS, dangerous plugins, etc. // use Content-Security-Policy to limit XSS, dangerous plugins, etc.
// https://helmetjs.github.io/docs/csp/ // https://helmetjs.github.io/docs/csp/
if (config.csp.enable) { if (config.csp.enable) {
@ -126,6 +132,7 @@ if (config.csp.enable) {
directives[propertyName] = directive; directives[propertyName] = directive;
} }
} }
directives.scriptSrc.push(function (req, res) { return "'nonce-" + res.locals.nonce + "'" })
if(config.csp.upgradeInsecureRequests === 'auto') { if(config.csp.upgradeInsecureRequests === 'auto') {
directives.upgradeInsecureRequests = config.usessl === 'true' directives.upgradeInsecureRequests = config.usessl === 'true'
} else { } else {

3
lib/response.js
View file

@ -584,7 +584,8 @@ function showPublishSlide (req, res, next) {
lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null, lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null,
robots: meta.robots || false, // default allow robots robots: meta.robots || false, // default allow robots
GA: meta.GA, GA: meta.GA,
disqus: meta.disqus disqus: meta.disqus,
cspNonce: res.locals.nonce
} }
return renderPublishSlide(data, res) return renderPublishSlide(data, res)
}).catch(function (err) { }).catch(function (err) {

1
package.json
View file

@ -114,6 +114,7 @@
"tedious": "^1.14.0", "tedious": "^1.14.0",
"to-markdown": "^3.0.3", "to-markdown": "^3.0.3",
"toobusy-js": "^0.5.1", "toobusy-js": "^0.5.1",
"uuid": "^3.1.0",
"uws": "~0.14.1", "uws": "~0.14.1",
"validator": "^6.2.0", "validator": "^6.2.0",
"velocity-animate": "^1.4.0", "velocity-animate": "^1.4.0",

2
public/views/slide.ejs
View file

@ -41,7 +41,7 @@
<link rel="stylesheet" href="<%- url %>/css/slide.css"> <link rel="stylesheet" href="<%- url %>/css/slide.css">
<!-- Printing and PDF exports --> <!-- Printing and PDF exports -->
<script> <script nonce="<%= cspNonce %>">
var link = document.createElement( 'link' ); var link = document.createElement( 'link' );
link.rel = 'stylesheet'; link.rel = 'stylesheet';
link.type = 'text/css'; link.type = 'text/css';