summaryrefslogtreecommitdiff
path: root/lib/csp.js (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Fix upgradeInsecureRequests CSP directiveDavid Mehren2021-05-041-2/+2
| | | | | | | | | | | | | | The `upgradeInsecureRequests` option of Helmets CSP middleware was a boolean in Helmet 3, but with Helmet 4, everything changed to lists. This commit adjusts the addUpgradeUnsafeRequestsOptionTo function accordingly. Closes #1221 See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy Signed-off-by: David Mehren <git@herrmehren.de>
* Remove yahoo domain from default CSP rulesErik Michelson2021-03-291-1/+1
| | | | Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
* Use new uuid exportDavid Mehren2021-02-161-2/+2
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Linter: Fix all lint errorsPhilip Molares2021-02-151-12/+12
| | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
* Add missing unsafe-inline CSP directiveErik Michelson2020-08-231-1/+1
| | | | | | Dropbox loads an external script that adds inline javascript. Therefore, this addition is needed when enabling dropbox support. Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* Add dropbox CSP directive if configured and make button clickableErik Michelson2020-08-231-0/+5
| | | | | | | The lack of a 'preventDefault' on the click event handler resulted in the dropbox link being unclickable. Furthermore because of a missing CSP rule, the dropbox script couldn't be loaded. The dropbox origin is now added to the CSP script sources if dropbox integration is configured. Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* Update RevealJS to version 3.9.2Sheogorath2020-02-011-1/+1
| | | | | | | | | | | | This update of revealJS helps us to get rid of the headjs depedency integration using webpack. It updates reveal.js to 3.9.2 and updates the csp hash accordingly for using the slide mode. Background for this update is the critical security vulnerability described by snyk in their disclosure: https://snyk.io/vuln/SNYK-JS-REVEALJS-543841 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1105 from SISheogorath/fix/gistCSPChristoph (Sheogorath) Kern2018-12-211-1/+1
|\ | | | | Fix broken Gist embedding
| * Fix broken Gist embeddingSheogorath2018-12-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | Looks like GitHub changed their asset system and our CSP prevented them from getting loaded. This patch should fix the Gist embedding with enabled CSP by replacing the old URL `https://assets-cdn.github.com` with the new `https://github.githubassets.com`. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1091 from SISheogorath/fix/speakerNotesCSPChristoph (Sheogorath) Kern2018-12-061-1/+1
|\ \ | | | | | | Fix CSP for speaker notes
| * | Fix CSP for speaker notesSheogorath2018-12-051-1/+1
| |/ | | | | | | | | | | | | | | | | | | | | Looks like I was wrong in my previous commit to update revealjs.[1] The speaker notes broke again with the CSPs. So this patch updates the hash and this way the speaker notes. [1]: bcebf1e8d285184f8c905f00e0270621790e7b80 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* / Fix disqus CSPSheogorath2018-12-051-1/+1
|/ | | | | | | | | | | | Disqus loads it's embed config.js from its root domain (https://disqus.com). Our CSPs only allow subdomains (e.g.: https://codimd.disqus.com). This causes the disqus embedding to fail. This patch should fix this problem by adding https://disqus.com to the CSP setting. From a security perspective there is no real change. Since still the same parties are involved. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add `data:` URL to CSP and upgrade helmetSheogorath2018-10-041-1/+1
| | | | | | | | | Seems like the old version of helmet had a problem with `data:`. This patch upgrades to the latest version and adds the CSP rule to allow Google Fonts and the offline version of it, to properly include the fonts and no longer throw ugly error messages at us. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add script src hash for speaker note to CSP directivesMax Wu2018-07-051-1/+1
| | | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Final replacementsSheogorath2018-06-241-1/+1
| | | | | | | Looks like I missed a few. This should be complete now. And make us ready for the repo rename and merging. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix CSP for disqus and Google AnalyticsSheogorath2018-03-301-1/+13
| | | | | | | | | | | | | This commit should fix existing problems with Disqus and Google Analytics enabled in the meta-yaml section of a note. Before this commit they were blocked by the strict CSP. It's still possible to disable the added directives using `addDisqus` and `addGoogleAnalytics` in the `csp` config section. They are enabled by default to prevent breaking changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Allow embedding of video and audio tagsSheogorath2018-03-251-0/+1
| | | | | | | | | | | | | Adding mediaSrc to CSP so video and audio files can be embedded without problems. From a security perspective it should be fine to load audio and video data without introducing a high security issue. Only from a privacy perspective it allows another way to track users if there are data embedded. But it doesn't introduce any new attack vector as pictures are also allowed from everywhere. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Change config to camel case with backwards compatibilitySheogorath2018-03-251-2/+2
| | | | | | | | This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add config option for report URI in CSPSheogorath2018-03-141-0/+7
| | | | | | | | This option is needed as it's currently not possible to add an report URI by the directives array. This option also allows to get CSP reports not only on docker based setup but also on our heroku instances. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Move CSP logic to new file, Fix boolean config examplesLiterallie2017-10-221-0/+80
Not sure why I was quoting these in the first place