diff options
author | Sheogorath | 2018-03-10 14:34:14 +0100 |
---|---|---|
committer | Sheogorath | 2018-03-14 17:57:41 +0100 |
commit | efa490a50f5849205645384ee7910764bf929794 (patch) | |
tree | 3b1ba14c65820af97ea3c6bb3bb4368a751a1343 /lib | |
parent | 21be5a55179f6541f61be9f95bbb69e3c7a6515b (diff) |
Add config option for report URI in CSP
This option is needed as it's currently not possible to add an report
URI by the directives array. This option also allows to get CSP reports
not only on docker based setup but also on our heroku instances.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/config/default.js | 3 | ||||
-rw-r--r-- | lib/config/environment.js | 3 | ||||
-rw-r--r-- | lib/csp.js | 7 |
3 files changed, 11 insertions, 2 deletions
diff --git a/lib/config/default.js b/lib/config/default.js index 06e887f4..7407ec60 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -18,7 +18,8 @@ module.exports = { directives: { }, addDefaults: true, - upgradeInsecureRequests: 'auto' + upgradeInsecureRequests: 'auto', + reportURI: undefined }, protocolusessl: false, usecdn: true, diff --git a/lib/config/environment.js b/lib/config/environment.js index b83c67e5..34049fb2 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -15,7 +15,8 @@ module.exports = { preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD) }, csp: { - enable: toBooleanConfig(process.env.HMD_CSP_ENABLE) + enable: toBooleanConfig(process.env.HMD_CSP_ENABLE), + reportURI: process.env.HMD_CSP_REPORTURI }, protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL), alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN), @@ -30,6 +30,7 @@ CspStrategy.computeDirectives = function () { addInlineScriptExceptions(directives) } addUpgradeUnsafeRequestsOptionTo(directives) + addReportURI(directives) return directives } @@ -72,6 +73,12 @@ function addUpgradeUnsafeRequestsOptionTo (directives) { } } +function addReportURI (directives) { + if (config.csp.reportURI) { + directives.reportUri = config.csp.reportURI + } +} + CspStrategy.addNonceToLocals = function (req, res, next) { res.locals.nonce = uuid.v4() next() |