CSP: Workaround for ws:// protocol

The spec allows wss:// for 'self', but not ws:// :(
This commit is contained in:
Literallie 2017-10-18 22:45:17 +02:00
parent 0cbdc852cb
commit 996cb37991
No known key found for this signature in database
GPG key ID: 7BE463C902ED152C

14
app.js
View file

@ -116,6 +116,15 @@ app.use((req, res, next) => {
// use Content-Security-Policy to limit XSS, dangerous plugins, etc.
// https://helmetjs.github.io/docs/csp/
function getCspNonce (req, res) {
return "'nonce-" + res.locals.nonce + "'"
}
function getCspWebSocketUrl (req, res) {
// wss: is included in 'self', but 'ws:' is not
return (req.protocol === 'http' ? 'ws:' : 'wss:') + config.serverurl.replace(/https?:/, "")
}
if (config.csp.enable) {
var cdnDirectives = {
scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'],
@ -125,14 +134,15 @@ if (config.csp.enable) {
var directives = {}
for (var propertyName in config.csp.directives) {
if (config.csp.directives.hasOwnProperty(propertyName)) {
var directive = config.csp.directives[propertyName]
var directive = [].concat(config.csp.directives[propertyName])
if (config.usecdn && !!cdnDirectives[propertyName]) {
directive = directive.concat(cdnDirectives[propertyName])
}
directives[propertyName] = directive
}
}
directives.scriptSrc.push(function (req, res) { return "'nonce-" + res.locals.nonce + "'" })
directives.scriptSrc.push(getCspNonce)
directives.connectSrc.push(getCspWebSocketUrl)
if (config.csp.upgradeInsecureRequests === 'auto') {
directives.upgradeInsecureRequests = config.usessl === 'true'
} else {