CSP: Workaround for ws:// protocol
The spec allows wss:// for 'self', but not ws:// :(
This commit is contained in:
parent
0cbdc852cb
commit
996cb37991
1 changed files with 12 additions and 2 deletions
14
app.js
14
app.js
|
@ -116,6 +116,15 @@ app.use((req, res, next) => {
|
||||||
|
|
||||||
// use Content-Security-Policy to limit XSS, dangerous plugins, etc.
|
// use Content-Security-Policy to limit XSS, dangerous plugins, etc.
|
||||||
// https://helmetjs.github.io/docs/csp/
|
// https://helmetjs.github.io/docs/csp/
|
||||||
|
function getCspNonce (req, res) {
|
||||||
|
return "'nonce-" + res.locals.nonce + "'"
|
||||||
|
}
|
||||||
|
|
||||||
|
function getCspWebSocketUrl (req, res) {
|
||||||
|
// wss: is included in 'self', but 'ws:' is not
|
||||||
|
return (req.protocol === 'http' ? 'ws:' : 'wss:') + config.serverurl.replace(/https?:/, "")
|
||||||
|
}
|
||||||
|
|
||||||
if (config.csp.enable) {
|
if (config.csp.enable) {
|
||||||
var cdnDirectives = {
|
var cdnDirectives = {
|
||||||
scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'],
|
scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'],
|
||||||
|
@ -125,14 +134,15 @@ if (config.csp.enable) {
|
||||||
var directives = {}
|
var directives = {}
|
||||||
for (var propertyName in config.csp.directives) {
|
for (var propertyName in config.csp.directives) {
|
||||||
if (config.csp.directives.hasOwnProperty(propertyName)) {
|
if (config.csp.directives.hasOwnProperty(propertyName)) {
|
||||||
var directive = config.csp.directives[propertyName]
|
var directive = [].concat(config.csp.directives[propertyName])
|
||||||
if (config.usecdn && !!cdnDirectives[propertyName]) {
|
if (config.usecdn && !!cdnDirectives[propertyName]) {
|
||||||
directive = directive.concat(cdnDirectives[propertyName])
|
directive = directive.concat(cdnDirectives[propertyName])
|
||||||
}
|
}
|
||||||
directives[propertyName] = directive
|
directives[propertyName] = directive
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
directives.scriptSrc.push(function (req, res) { return "'nonce-" + res.locals.nonce + "'" })
|
directives.scriptSrc.push(getCspNonce)
|
||||||
|
directives.connectSrc.push(getCspWebSocketUrl)
|
||||||
if (config.csp.upgradeInsecureRequests === 'auto') {
|
if (config.csp.upgradeInsecureRequests === 'auto') {
|
||||||
directives.upgradeInsecureRequests = config.usessl === 'true'
|
directives.upgradeInsecureRequests = config.usessl === 'true'
|
||||||
} else {
|
} else {
|
||||||
|
|
Loading…
Reference in a new issue