summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--app.js7
-rwxr-xr-xlib/response.js3
-rw-r--r--package.json1
-rw-r--r--public/views/slide.ejs2
4 files changed, 11 insertions, 2 deletions
diff --git a/app.js b/app.js
index 8af029e7..b78f94e1 100644
--- a/app.js
+++ b/app.js
@@ -12,6 +12,7 @@ var session = require('express-session')
var SequelizeStore = require('connect-session-sequelize')(session.Store)
var fs = require('fs')
var path = require('path')
+var uuid = require('uuid')
var morgan = require('morgan')
var passportSocketIo = require('passport.socketio')
@@ -108,6 +109,11 @@ if (config.hsts.enable) {
logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
}
+app.use((req, res, next) => {
+ res.locals.nonce = uuid.v4()
+ next()
+})
+
// use Content-Security-Policy to limit XSS, dangerous plugins, etc.
// https://helmetjs.github.io/docs/csp/
if (config.csp.enable) {
@@ -126,6 +132,7 @@ if (config.csp.enable) {
directives[propertyName] = directive;
}
}
+ directives.scriptSrc.push(function (req, res) { return "'nonce-" + res.locals.nonce + "'" })
if(config.csp.upgradeInsecureRequests === 'auto') {
directives.upgradeInsecureRequests = config.usessl === 'true'
} else {
diff --git a/lib/response.js b/lib/response.js
index a22d1e70..287d53e0 100755
--- a/lib/response.js
+++ b/lib/response.js
@@ -584,7 +584,8 @@ function showPublishSlide (req, res, next) {
lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null,
robots: meta.robots || false, // default allow robots
GA: meta.GA,
- disqus: meta.disqus
+ disqus: meta.disqus,
+ cspNonce: res.locals.nonce
}
return renderPublishSlide(data, res)
}).catch(function (err) {
diff --git a/package.json b/package.json
index 4c8dc562..35fe4f9c 100644
--- a/package.json
+++ b/package.json
@@ -114,6 +114,7 @@
"tedious": "^1.14.0",
"to-markdown": "^3.0.3",
"toobusy-js": "^0.5.1",
+ "uuid": "^3.1.0",
"uws": "~0.14.1",
"validator": "^6.2.0",
"velocity-animate": "^1.4.0",
diff --git a/public/views/slide.ejs b/public/views/slide.ejs
index 7ff5016e..c7dd9898 100644
--- a/public/views/slide.ejs
+++ b/public/views/slide.ejs
@@ -41,7 +41,7 @@
<link rel="stylesheet" href="<%- url %>/css/slide.css">
<!-- Printing and PDF exports -->
- <script>
+ <script nonce="<%= cspNonce %>">
var link = document.createElement( 'link' );
link.rel = 'stylesheet';
link.type = 'text/css';