sa6anw/hedgedoc-hedgeagent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add config option to disallow framing via CSP

Browse Source 
Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
David Mehren
2021-07-18 09:59:14 +02:00
parent 9499add64c
commit bd44cbc16c
4 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lib/config/default.js
View File

@@ -25,7 +25,8 @@ module.exports = {
addDisqus: false,
addGoogleAnalytics: false,
upgradeInsecureRequests: 'auto',
reportURI: undefined
reportURI: undefined,
allowFraming: true
},
cookiePolicy: 'lax',
protocolUseSSL: false,

3
lib/config/environment.js
View File

@@ -22,7 +22,8 @@ module.exports = {
enable: toBooleanConfig(process.env.CMD_CSP_ENABLE),
reportURI: process.env.CMD_CSP_REPORTURI,
addDisqus: toBooleanConfig(process.env.CMD_CSP_ADD_DISQUS),
addGoogleAnalytics: toBooleanConfig(process.env.CMD_CSP_ADD_GOOGLE_ANALYTICS)
addGoogleAnalytics: toBooleanConfig(process.env.CMD_CSP_ADD_GOOGLE_ANALYTICS),
allowFraming: toBooleanConfig(process.env.CMD_CSP_ALLOW_FRAMING)
},
cookiePolicy: process.env.CMD_COOKIE_POLICY,
protocolUseSSL: toBooleanConfig(process.env.CMD_PROTOCOL_USESSL),

11
lib/csp.js
View File

@@ -21,9 +21,7 @@ const defaultDirectives = {
],
styleSrc: [config.serverURL + '/build/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
mediaSrc: ['*'],
childSrc: ['*'],
connectSrc: ['*']
formAction: ['\'self\'']
}
const cdnDirectives = {
@@ -46,6 +44,10 @@ const dropboxDirectives = {
scriptSrc: ['https://www.dropbox.com', '\'unsafe-inline\'']
}
const disallowFramingDirectives = {
frameAncestors: ['\'self\'']
}
CspStrategy.computeDirectives = function () {
const directives = {}
mergeDirectives(directives, config.csp.directives)
@@ -54,6 +56,7 @@ CspStrategy.computeDirectives = function () {
mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)
mergeDirectivesIf(!config.csp.allowFraming, directives, disallowFramingDirectives)
addInlineScriptExceptions(directives)
addUpgradeUnsafeRequestsOptionTo(directives)
addReportURI(directives)
@@ -92,7 +95,7 @@ function getCspNonce (req, res) {
}
function addUpgradeUnsafeRequestsOptionTo (directives) {
if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {
if (config.csp.upgradeInsecureRequests === 'auto' && (config.useSSL || config.protocolUseSSL)) {
directives.upgradeInsecureRequests = []
} else if (config.csp.upgradeInsecureRequests === true) {
directives.upgradeInsecureRequests = []