summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLiterallie2017-10-18 22:45:17 +0200
committerLiterallie2017-10-22 00:03:45 +0200
commit996cb379912d5ee7b6e26f3c688ce447b4762bc4 (patch)
treebc0d4496ec6e09e13630771f3745effa41dc9fbd
parent0cbdc852cb29bfcadf1229899938c757b03f5ed6 (diff)
CSP: Workaround for ws:// protocol
The spec allows wss:// for 'self', but not ws:// :(
-rw-r--r--app.js14
1 files changed, 12 insertions, 2 deletions
diff --git a/app.js b/app.js
index 88735854..15c9e61e 100644
--- a/app.js
+++ b/app.js
@@ -116,6 +116,15 @@ app.use((req, res, next) => {
// use Content-Security-Policy to limit XSS, dangerous plugins, etc.
// https://helmetjs.github.io/docs/csp/
+function getCspNonce (req, res) {
+ return "'nonce-" + res.locals.nonce + "'"
+}
+
+function getCspWebSocketUrl (req, res) {
+ // wss: is included in 'self', but 'ws:' is not
+ return (req.protocol === 'http' ? 'ws:' : 'wss:') + config.serverurl.replace(/https?:/, "")
+}
+
if (config.csp.enable) {
var cdnDirectives = {
scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'],
@@ -125,14 +134,15 @@ if (config.csp.enable) {
var directives = {}
for (var propertyName in config.csp.directives) {
if (config.csp.directives.hasOwnProperty(propertyName)) {
- var directive = config.csp.directives[propertyName]
+ var directive = [].concat(config.csp.directives[propertyName])
if (config.usecdn && !!cdnDirectives[propertyName]) {
directive = directive.concat(cdnDirectives[propertyName])
}
directives[propertyName] = directive
}
}
- directives.scriptSrc.push(function (req, res) { return "'nonce-" + res.locals.nonce + "'" })
+ directives.scriptSrc.push(getCspNonce)
+ directives.connectSrc.push(getCspWebSocketUrl)
if (config.csp.upgradeInsecureRequests === 'auto') {
directives.upgradeInsecureRequests = config.usessl === 'true'
} else {