summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md2
-rw-r--r--app.json4
-rw-r--r--config.json.example4
-rw-r--r--lib/config/default.js2
-rw-r--r--lib/config/environment.js2
-rw-r--r--lib/csp.js14
-rw-r--r--lib/response.js3
-rw-r--r--public/views/shared/disqus.ejs5
-rw-r--r--public/views/shared/ga.ejs6
9 files changed, 33 insertions, 9 deletions
diff --git a/README.md b/README.md
index 0bb3845b..bdad3336 100644
--- a/README.md
+++ b/README.md
@@ -151,6 +151,8 @@ There are some config settings you need to change in the files below.
| `HMD_ALLOW_FREEURL` | `true` or `false` | set to allow new note creation by accessing a nonexistent note URL |
| `HMD_DEFAULT_PERMISSION` | `freely`, `editable`, `limited`, `locked` or `private` | set notes default permission (only applied on signed users) |
| `HMD_DB_URL` | `mysql://localhost:3306/database` | set the database URL |
+| `HMD_SESSION_SECRET` | no example | Secret used to sign the session cookie. If non is set, one will randomly generated on startup |
+| `HMD_SESSION_LIFE` | `1209600000` | Session life time. (milliseconds) |
| `HMD_FACEBOOK_CLIENTID` | no example | Facebook API client id |
| `HMD_FACEBOOK_CLIENTSECRET` | no example | Facebook API client secret |
| `HMD_TWITTER_CONSUMERKEY` | no example | Twitter API consumer key |
diff --git a/app.json b/app.json
index b2116eb6..54ce160e 100644
--- a/app.json
+++ b/app.json
@@ -23,6 +23,10 @@
"description": "Specify database type. See sequelize available databases. Default using postgres",
"value": "postgres"
},
+ "HMD_SESSION_SECRET": {
+ "description": "Secret used to secure session cookies.",
+ "required": false
+ },
"HMD_HSTS_ENABLE": {
"description": "whether to also use HSTS if HTTPS is enabled",
"required": false
diff --git a/config.json.example b/config.json.example
index 8d1b6abd..2d9b7714 100644
--- a/config.json.example
+++ b/config.json.example
@@ -27,7 +27,9 @@
"directives": {
},
"upgradeInsecureRequests": "auto"
- "addDefaults": true
+ "addDefaults": true,
+ "addDisqus": true,
+ "addGoogleAnalytics": true
},
"db": {
"username": "",
diff --git a/lib/config/default.js b/lib/config/default.js
index b6f1af17..68849d36 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -18,6 +18,8 @@ module.exports = {
directives: {
},
addDefaults: true,
+ addDisqus: true,
+ addGoogleAnalytics: true,
upgradeInsecureRequests: 'auto',
reportURI: undefined
},
diff --git a/lib/config/environment.js b/lib/config/environment.js
index cab3bc3e..3dde4786 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -26,6 +26,8 @@ module.exports = {
allowFreeURL: toBooleanConfig(process.env.HMD_ALLOW_FREEURL),
defaultPermission: process.env.HMD_DEFAULT_PERMISSION,
dbURL: process.env.HMD_DB_URL,
+ sessionSecret: process.env.HMD_SESSION_SECRET,
+ sessionLife: toIntegerConfig(process.env.HMD_SESSION_LIFE),
imageUploadType: process.env.HMD_IMAGE_UPLOAD_TYPE,
imgur: {
clientID: process.env.HMD_IMGUR_CLIENTID
diff --git a/lib/csp.js b/lib/csp.js
index 8a4aa088..d0f906a3 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -5,7 +5,7 @@ var CspStrategy = {}
var defaultDirectives = {
defaultSrc: ['\'self\''],
- scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', 'https://*.disqus.com', '\'unsafe-eval\''],
+ scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', '\'unsafe-eval\''],
// ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/hackmd/issues/594
imgSrc: ['*'],
styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views
@@ -22,11 +22,23 @@ var cdnDirectives = {
fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com']
}
+var disqusDirectives = {
+ scriptSrc: ['https://*.disqus.com', 'https://*.disquscdn.com'],
+ styleSrc: ['https://*.disquscdn.com'],
+ fontSrc: ['https://*.disquscdn.com']
+}
+
+var googleAnalyticsDirectives = {
+ scriptSrc: ['https://www.google-analytics.com']
+}
+
CspStrategy.computeDirectives = function () {
var directives = {}
mergeDirectives(directives, config.csp.directives)
mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives)
mergeDirectivesIf(config.useCDN, directives, cdnDirectives)
+ mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
+ mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
if (!areAllInlineScriptsAllowed(directives)) {
addInlineScriptExceptions(directives)
}
diff --git a/lib/response.js b/lib/response.js
index b18fd7a3..d5c685ca 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -226,7 +226,8 @@ function showPublishNote (req, res, next) {
lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null,
robots: meta.robots || false, // default allow robots
GA: meta.GA,
- disqus: meta.disqus
+ disqus: meta.disqus,
+ cspNonce: res.locals.nonce
}
return renderPublish(data, res)
}).catch(function (err) {
diff --git a/public/views/shared/disqus.ejs b/public/views/shared/disqus.ejs
index cceaa85c..840d1e38 100644
--- a/public/views/shared/disqus.ejs
+++ b/public/views/shared/disqus.ejs
@@ -1,14 +1,13 @@
<div id="disqus_thread"></div>
-<script>
+<script nonce="<%= cspNonce %>">
var disqus_config = function () {
this.page.identifier = window.location.pathname.split('/').slice(-1)[0];
};
(function() {
var d = document, s = d.createElement('script');
- s.src = '//<%= disqus %>.disqus.com/embed.js';
+ s.src = 'https://<%= disqus %>.disqus.com/embed.js';
s.setAttribute('data-timestamp', +new Date());
(d.head || d.body).appendChild(s);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
- \ No newline at end of file
diff --git a/public/views/shared/ga.ejs b/public/views/shared/ga.ejs
index 66d4acd9..27abb742 100644
--- a/public/views/shared/ga.ejs
+++ b/public/views/shared/ga.ejs
@@ -1,5 +1,5 @@
<% if(typeof GA !== 'undefined' && GA) { %>
-<script>
+<script nonce="<%= cspNonce %>">
(function (i, s, o, g, r, a, m) {
i['GoogleAnalyticsObject'] = r;
i[r] = i[r] || function () {
@@ -10,9 +10,9 @@
a.async = 1;
a.src = g;
m.parentNode.insertBefore(a, m)
-})(window, document, 'script', '//www.google-analytics.com/analytics.js', 'ga');
+})(window, document, 'script', 'https://www.google-analytics.com/analytics.js', 'ga');
ga('create', '<%= GA %>', 'auto');
ga('send', 'pageview');
</script>
-<% } %> \ No newline at end of file
+<% } %>