summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--lib/config/default.js2
-rw-r--r--lib/csp.js14
-rw-r--r--lib/response.js3
3 files changed, 17 insertions, 2 deletions
diff --git a/lib/config/default.js b/lib/config/default.js
index b6f1af17..68849d36 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -18,6 +18,8 @@ module.exports = {
directives: {
},
addDefaults: true,
+ addDisqus: true,
+ addGoogleAnalytics: true,
upgradeInsecureRequests: 'auto',
reportURI: undefined
},
diff --git a/lib/csp.js b/lib/csp.js
index 8a4aa088..d0f906a3 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -5,7 +5,7 @@ var CspStrategy = {}
var defaultDirectives = {
defaultSrc: ['\'self\''],
- scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', 'https://*.disqus.com', '\'unsafe-eval\''],
+ scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', '\'unsafe-eval\''],
// ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/hackmd/issues/594
imgSrc: ['*'],
styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views
@@ -22,11 +22,23 @@ var cdnDirectives = {
fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com']
}
+var disqusDirectives = {
+ scriptSrc: ['https://*.disqus.com', 'https://*.disquscdn.com'],
+ styleSrc: ['https://*.disquscdn.com'],
+ fontSrc: ['https://*.disquscdn.com']
+}
+
+var googleAnalyticsDirectives = {
+ scriptSrc: ['https://www.google-analytics.com']
+}
+
CspStrategy.computeDirectives = function () {
var directives = {}
mergeDirectives(directives, config.csp.directives)
mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives)
mergeDirectivesIf(config.useCDN, directives, cdnDirectives)
+ mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
+ mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
if (!areAllInlineScriptsAllowed(directives)) {
addInlineScriptExceptions(directives)
}
diff --git a/lib/response.js b/lib/response.js
index b18fd7a3..d5c685ca 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -226,7 +226,8 @@ function showPublishNote (req, res, next) {
lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null,
robots: meta.robots || false, // default allow robots
GA: meta.GA,
- disqus: meta.disqus
+ disqus: meta.disqus,
+ cspNonce: res.locals.nonce
}
return renderPublish(data, res)
}).catch(function (err) {