diff options
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | app.json | 4 | ||||
-rw-r--r-- | config.json.example | 4 | ||||
-rw-r--r-- | lib/config/default.js | 2 | ||||
-rw-r--r-- | lib/config/environment.js | 2 | ||||
-rw-r--r-- | lib/csp.js | 14 | ||||
-rw-r--r-- | lib/response.js | 3 | ||||
-rw-r--r-- | public/views/shared/disqus.ejs | 5 | ||||
-rw-r--r-- | public/views/shared/ga.ejs | 6 |
9 files changed, 33 insertions, 9 deletions
@@ -151,6 +151,8 @@ There are some config settings you need to change in the files below. | `HMD_ALLOW_FREEURL` | `true` or `false` | set to allow new note creation by accessing a nonexistent note URL | | `HMD_DEFAULT_PERMISSION` | `freely`, `editable`, `limited`, `locked` or `private` | set notes default permission (only applied on signed users) | | `HMD_DB_URL` | `mysql://localhost:3306/database` | set the database URL | +| `HMD_SESSION_SECRET` | no example | Secret used to sign the session cookie. If non is set, one will randomly generated on startup | +| `HMD_SESSION_LIFE` | `1209600000` | Session life time. (milliseconds) | | `HMD_FACEBOOK_CLIENTID` | no example | Facebook API client id | | `HMD_FACEBOOK_CLIENTSECRET` | no example | Facebook API client secret | | `HMD_TWITTER_CONSUMERKEY` | no example | Twitter API consumer key | @@ -23,6 +23,10 @@ "description": "Specify database type. See sequelize available databases. Default using postgres", "value": "postgres" }, + "HMD_SESSION_SECRET": { + "description": "Secret used to secure session cookies.", + "required": false + }, "HMD_HSTS_ENABLE": { "description": "whether to also use HSTS if HTTPS is enabled", "required": false diff --git a/config.json.example b/config.json.example index 8d1b6abd..2d9b7714 100644 --- a/config.json.example +++ b/config.json.example @@ -27,7 +27,9 @@ "directives": { }, "upgradeInsecureRequests": "auto" - "addDefaults": true + "addDefaults": true, + "addDisqus": true, + "addGoogleAnalytics": true }, "db": { "username": "", diff --git a/lib/config/default.js b/lib/config/default.js index b6f1af17..68849d36 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -18,6 +18,8 @@ module.exports = { directives: { }, addDefaults: true, + addDisqus: true, + addGoogleAnalytics: true, upgradeInsecureRequests: 'auto', reportURI: undefined }, diff --git a/lib/config/environment.js b/lib/config/environment.js index cab3bc3e..3dde4786 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -26,6 +26,8 @@ module.exports = { allowFreeURL: toBooleanConfig(process.env.HMD_ALLOW_FREEURL), defaultPermission: process.env.HMD_DEFAULT_PERMISSION, dbURL: process.env.HMD_DB_URL, + sessionSecret: process.env.HMD_SESSION_SECRET, + sessionLife: toIntegerConfig(process.env.HMD_SESSION_LIFE), imageUploadType: process.env.HMD_IMAGE_UPLOAD_TYPE, imgur: { clientID: process.env.HMD_IMGUR_CLIENTID @@ -5,7 +5,7 @@ var CspStrategy = {} var defaultDirectives = { defaultSrc: ['\'self\''], - scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', 'https://*.disqus.com', '\'unsafe-eval\''], + scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', '\'unsafe-eval\''], // ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/hackmd/issues/594 imgSrc: ['*'], styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views @@ -22,11 +22,23 @@ var cdnDirectives = { fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com'] } +var disqusDirectives = { + scriptSrc: ['https://*.disqus.com', 'https://*.disquscdn.com'], + styleSrc: ['https://*.disquscdn.com'], + fontSrc: ['https://*.disquscdn.com'] +} + +var googleAnalyticsDirectives = { + scriptSrc: ['https://www.google-analytics.com'] +} + CspStrategy.computeDirectives = function () { var directives = {} mergeDirectives(directives, config.csp.directives) mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives) mergeDirectivesIf(config.useCDN, directives, cdnDirectives) + mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives) + mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives) if (!areAllInlineScriptsAllowed(directives)) { addInlineScriptExceptions(directives) } diff --git a/lib/response.js b/lib/response.js index b18fd7a3..d5c685ca 100644 --- a/lib/response.js +++ b/lib/response.js @@ -226,7 +226,8 @@ function showPublishNote (req, res, next) { lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null, robots: meta.robots || false, // default allow robots GA: meta.GA, - disqus: meta.disqus + disqus: meta.disqus, + cspNonce: res.locals.nonce } return renderPublish(data, res) }).catch(function (err) { diff --git a/public/views/shared/disqus.ejs b/public/views/shared/disqus.ejs index cceaa85c..840d1e38 100644 --- a/public/views/shared/disqus.ejs +++ b/public/views/shared/disqus.ejs @@ -1,14 +1,13 @@ <div id="disqus_thread"></div> -<script> +<script nonce="<%= cspNonce %>"> var disqus_config = function () { this.page.identifier = window.location.pathname.split('/').slice(-1)[0]; }; (function() { var d = document, s = d.createElement('script'); - s.src = '//<%= disqus %>.disqus.com/embed.js'; + s.src = 'https://<%= disqus %>.disqus.com/embed.js'; s.setAttribute('data-timestamp', +new Date()); (d.head || d.body).appendChild(s); })(); </script> <noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript> -
\ No newline at end of file diff --git a/public/views/shared/ga.ejs b/public/views/shared/ga.ejs index 66d4acd9..27abb742 100644 --- a/public/views/shared/ga.ejs +++ b/public/views/shared/ga.ejs @@ -1,5 +1,5 @@ <% if(typeof GA !== 'undefined' && GA) { %> -<script> +<script nonce="<%= cspNonce %>"> (function (i, s, o, g, r, a, m) { i['GoogleAnalyticsObject'] = r; i[r] = i[r] || function () { @@ -10,9 +10,9 @@ a.async = 1; a.src = g; m.parentNode.insertBefore(a, m) -})(window, document, 'script', '//www.google-analytics.com/analytics.js', 'ga'); +})(window, document, 'script', 'https://www.google-analytics.com/analytics.js', 'ga'); ga('create', '<%= GA %>', 'auto'); ga('send', 'pageview'); </script> -<% } %>
\ No newline at end of file +<% } %> |