diff options
author | Literallie | 2017-10-18 22:45:17 +0200 |
---|---|---|
committer | Literallie | 2017-10-22 00:03:45 +0200 |
commit | 996cb379912d5ee7b6e26f3c688ce447b4762bc4 (patch) | |
tree | bc0d4496ec6e09e13630771f3745effa41dc9fbd | |
parent | 0cbdc852cb29bfcadf1229899938c757b03f5ed6 (diff) |
CSP: Workaround for ws:// protocol
The spec allows wss:// for 'self', but not ws:// :(
Diffstat (limited to '')
-rw-r--r-- | app.js | 14 |
1 files changed, 12 insertions, 2 deletions
@@ -116,6 +116,15 @@ app.use((req, res, next) => { // use Content-Security-Policy to limit XSS, dangerous plugins, etc. // https://helmetjs.github.io/docs/csp/ +function getCspNonce (req, res) { + return "'nonce-" + res.locals.nonce + "'" +} + +function getCspWebSocketUrl (req, res) { + // wss: is included in 'self', but 'ws:' is not + return (req.protocol === 'http' ? 'ws:' : 'wss:') + config.serverurl.replace(/https?:/, "") +} + if (config.csp.enable) { var cdnDirectives = { scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'], @@ -125,14 +134,15 @@ if (config.csp.enable) { var directives = {} for (var propertyName in config.csp.directives) { if (config.csp.directives.hasOwnProperty(propertyName)) { - var directive = config.csp.directives[propertyName] + var directive = [].concat(config.csp.directives[propertyName]) if (config.usecdn && !!cdnDirectives[propertyName]) { directive = directive.concat(cdnDirectives[propertyName]) } directives[propertyName] = directive } } - directives.scriptSrc.push(function (req, res) { return "'nonce-" + res.locals.nonce + "'" }) + directives.scriptSrc.push(getCspNonce) + directives.connectSrc.push(getCspWebSocketUrl) if (config.csp.upgradeInsecureRequests === 'auto') { directives.upgradeInsecureRequests = config.usessl === 'true' } else { |