CSP: Add nonce to slide view inline JS

author: Literallie 2017-10-18 17:48:53 +0200
committer: Literallie 2017-10-22 00:03:45 +0200
commit: 080436aebb4c4681f85cc8bf5d8563832ff8dbdd (patch)
tree: e83b305f9e628fa82077f656583d05c11574ada9 /app.js
parent: 5d2d3ec875310de07fe79ae605dfbc0f1df585c5 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/app.js b/app.js
index 8af029e7..b78f94e1 100644
--- a/app.js
+++ b/app.js
@@ -12,6 +12,7 @@ var session = require('express-session')
 var SequelizeStore = require('connect-session-sequelize')(session.Store)
 var fs = require('fs')
 var path = require('path')
+var uuid = require('uuid')
 
 var morgan = require('morgan')
 var passportSocketIo = require('passport.socketio')
@@ -108,6 +109,11 @@ if (config.hsts.enable) {
   logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
 }
 
+app.use((req, res, next) => {
+  res.locals.nonce = uuid.v4()
+  next()
+})
+
 // use Content-Security-Policy to limit XSS, dangerous plugins, etc.
 // https://helmetjs.github.io/docs/csp/
 if (config.csp.enable) {
@@ -126,6 +132,7 @@ if (config.csp.enable) {
       directives[propertyName] = directive;
     }
   }
+  directives.scriptSrc.push(function (req, res) { return "'nonce-" + res.locals.nonce + "'" })
   if(config.csp.upgradeInsecureRequests === 'auto') {
     directives.upgradeInsecureRequests = config.usessl === 'true'
   } else {
author	Literallie	2017-10-18 17:48:53 +0200
committer	Literallie	2017-10-22 00:03:45 +0200
commit	080436aebb4c4681f85cc8bf5d8563832ff8dbdd (patch)
tree	e83b305f9e628fa82077f656583d05c11574ada9 /app.js
parent	5d2d3ec875310de07fe79ae605dfbc0f1df585c5 (diff)