summaryrefslogtreecommitdiff
path: root/lib/csp.js (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add `data:` URL to CSP and upgrade helmetSheogorath2018-10-041-1/+1
| | | | | | | | | Seems like the old version of helmet had a problem with `data:`. This patch upgrades to the latest version and adds the CSP rule to allow Google Fonts and the offline version of it, to properly include the fonts and no longer throw ugly error messages at us. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add script src hash for speaker note to CSP directivesMax Wu2018-07-051-1/+1
| | | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Final replacementsSheogorath2018-06-241-1/+1
| | | | | | | Looks like I missed a few. This should be complete now. And make us ready for the repo rename and merging. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix CSP for disqus and Google AnalyticsSheogorath2018-03-301-1/+13
| | | | | | | | | | | | | This commit should fix existing problems with Disqus and Google Analytics enabled in the meta-yaml section of a note. Before this commit they were blocked by the strict CSP. It's still possible to disable the added directives using `addDisqus` and `addGoogleAnalytics` in the `csp` config section. They are enabled by default to prevent breaking changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Allow embedding of video and audio tagsSheogorath2018-03-251-0/+1
| | | | | | | | | | | | | Adding mediaSrc to CSP so video and audio files can be embedded without problems. From a security perspective it should be fine to load audio and video data without introducing a high security issue. Only from a privacy perspective it allows another way to track users if there are data embedded. But it doesn't introduce any new attack vector as pictures are also allowed from everywhere. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Change config to camel case with backwards compatibilitySheogorath2018-03-251-2/+2
| | | | | | | | This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add config option for report URI in CSPSheogorath2018-03-141-0/+7
| | | | | | | | This option is needed as it's currently not possible to add an report URI by the directives array. This option also allows to get CSP reports not only on docker based setup but also on our heroku instances. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Move CSP logic to new file, Fix boolean config examplesLiterallie2017-10-221-0/+80
Not sure why I was quoting these in the first place