diff options
Diffstat (limited to '')
-rw-r--r-- | app.js | 7 | ||||
-rwxr-xr-x | lib/response.js | 3 | ||||
-rw-r--r-- | package.json | 1 | ||||
-rw-r--r-- | public/views/slide.ejs | 2 |
4 files changed, 11 insertions, 2 deletions
@@ -12,6 +12,7 @@ var session = require('express-session') var SequelizeStore = require('connect-session-sequelize')(session.Store) var fs = require('fs') var path = require('path') +var uuid = require('uuid') var morgan = require('morgan') var passportSocketIo = require('passport.socketio') @@ -108,6 +109,11 @@ if (config.hsts.enable) { logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security') } +app.use((req, res, next) => { + res.locals.nonce = uuid.v4() + next() +}) + // use Content-Security-Policy to limit XSS, dangerous plugins, etc. // https://helmetjs.github.io/docs/csp/ if (config.csp.enable) { @@ -126,6 +132,7 @@ if (config.csp.enable) { directives[propertyName] = directive; } } + directives.scriptSrc.push(function (req, res) { return "'nonce-" + res.locals.nonce + "'" }) if(config.csp.upgradeInsecureRequests === 'auto') { directives.upgradeInsecureRequests = config.usessl === 'true' } else { diff --git a/lib/response.js b/lib/response.js index a22d1e70..287d53e0 100755 --- a/lib/response.js +++ b/lib/response.js @@ -584,7 +584,8 @@ function showPublishSlide (req, res, next) { lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null, robots: meta.robots || false, // default allow robots GA: meta.GA, - disqus: meta.disqus + disqus: meta.disqus, + cspNonce: res.locals.nonce } return renderPublishSlide(data, res) }).catch(function (err) { diff --git a/package.json b/package.json index 4c8dc562..35fe4f9c 100644 --- a/package.json +++ b/package.json @@ -114,6 +114,7 @@ "tedious": "^1.14.0", "to-markdown": "^3.0.3", "toobusy-js": "^0.5.1", + "uuid": "^3.1.0", "uws": "~0.14.1", "validator": "^6.2.0", "velocity-animate": "^1.4.0", diff --git a/public/views/slide.ejs b/public/views/slide.ejs index 7ff5016e..c7dd9898 100644 --- a/public/views/slide.ejs +++ b/public/views/slide.ejs @@ -41,7 +41,7 @@ <link rel="stylesheet" href="<%- url %>/css/slide.css"> <!-- Printing and PDF exports --> - <script> + <script nonce="<%= cspNonce %>"> var link = document.createElement( 'link' ); link.rel = 'stylesheet'; link.type = 'text/css'; |