From efa490a50f5849205645384ee7910764bf929794 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Sat, 10 Mar 2018 14:34:14 +0100 Subject: Add config option for report URI in CSP This option is needed as it's currently not possible to add an report URI by the directives array. This option also allows to get CSP reports not only on docker based setup but also on our heroku instances. Signed-off-by: Sheogorath --- lib/config/default.js | 3 ++- lib/config/environment.js | 3 ++- lib/csp.js | 7 +++++++ 3 files changed, 11 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/config/default.js b/lib/config/default.js index 06e887f4..7407ec60 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -18,7 +18,8 @@ module.exports = { directives: { }, addDefaults: true, - upgradeInsecureRequests: 'auto' + upgradeInsecureRequests: 'auto', + reportURI: undefined }, protocolusessl: false, usecdn: true, diff --git a/lib/config/environment.js b/lib/config/environment.js index b83c67e5..34049fb2 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -15,7 +15,8 @@ module.exports = { preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD) }, csp: { - enable: toBooleanConfig(process.env.HMD_CSP_ENABLE) + enable: toBooleanConfig(process.env.HMD_CSP_ENABLE), + reportURI: process.env.HMD_CSP_REPORTURI }, protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL), alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN), diff --git a/lib/csp.js b/lib/csp.js index 509bc530..b46ae8ef 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -30,6 +30,7 @@ CspStrategy.computeDirectives = function () { addInlineScriptExceptions(directives) } addUpgradeUnsafeRequestsOptionTo(directives) + addReportURI(directives) return directives } @@ -72,6 +73,12 @@ function addUpgradeUnsafeRequestsOptionTo (directives) { } } +function addReportURI (directives) { + if (config.csp.reportURI) { + directives.reportUri = config.csp.reportURI + } +} + CspStrategy.addNonceToLocals = function (req, res, next) { res.locals.nonce = uuid.v4() next() -- cgit v1.2.3