mirror of
https://github.com/LemmyNet/lemmy-ui.git
synced 2024-11-29 15:51:14 +00:00
Revert "Set content security policy http header for all responses (#621)"
This reverts commit b77689ebd1
.
This commit is contained in:
parent
b77689ebd1
commit
054874b177
2 changed files with 17 additions and 16 deletions
|
@ -11,7 +11,7 @@ import process from "process";
|
||||||
import serialize from "serialize-javascript";
|
import serialize from "serialize-javascript";
|
||||||
import { App } from "../shared/components/app/app";
|
import { App } from "../shared/components/app/app";
|
||||||
import { SYMBOLS } from "../shared/components/common/symbols";
|
import { SYMBOLS } from "../shared/components/common/symbols";
|
||||||
import { httpBaseInternal, wsUriBase } from "../shared/env";
|
import { httpBaseInternal } from "../shared/env";
|
||||||
import {
|
import {
|
||||||
ILemmyConfig,
|
ILemmyConfig,
|
||||||
InitialFetchRequest,
|
InitialFetchRequest,
|
||||||
|
@ -27,18 +27,6 @@ const [hostname, port] = process.env["LEMMY_UI_HOST"]
|
||||||
const extraThemesFolder =
|
const extraThemesFolder =
|
||||||
process.env["LEMMY_UI_EXTRA_THEMES_FOLDER"] || "./extra_themes";
|
process.env["LEMMY_UI_EXTRA_THEMES_FOLDER"] || "./extra_themes";
|
||||||
|
|
||||||
server.use(function (_req, res, next) {
|
|
||||||
// in debug mode, websocket backend may be on another port, so we need to permit it in csp policy
|
|
||||||
var websocketBackend;
|
|
||||||
if (process.env.NODE_ENV == "development") {
|
|
||||||
websocketBackend = wsUriBase;
|
|
||||||
}
|
|
||||||
res.setHeader(
|
|
||||||
"Content-Security-Policy",
|
|
||||||
`default-src 'none'; connect-src 'self' ${websocketBackend}; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'`
|
|
||||||
);
|
|
||||||
next();
|
|
||||||
});
|
|
||||||
server.use(express.json());
|
server.use(express.json());
|
||||||
server.use(express.urlencoded({ extended: false }));
|
server.use(express.urlencoded({ extended: false }));
|
||||||
server.use("/static", express.static(path.resolve("./dist")));
|
server.use("/static", express.static(path.resolve("./dist")));
|
||||||
|
@ -178,6 +166,13 @@ server.get("/*", async (req, res) => {
|
||||||
return res.redirect(context.url);
|
return res.redirect(context.url);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const cspHtml = (
|
||||||
|
<meta
|
||||||
|
http-equiv="Content-Security-Policy"
|
||||||
|
content="default-src data: 'self'; connect-src * ws: wss:; frame-src *; img-src * data:; script-src 'self'; style-src 'self' 'unsafe-inline'; manifest-src 'self'"
|
||||||
|
/>
|
||||||
|
);
|
||||||
|
|
||||||
const eruda = (
|
const eruda = (
|
||||||
<>
|
<>
|
||||||
<script src="//cdn.jsdelivr.net/npm/eruda"></script>
|
<script src="//cdn.jsdelivr.net/npm/eruda"></script>
|
||||||
|
@ -185,8 +180,12 @@ server.get("/*", async (req, res) => {
|
||||||
</>
|
</>
|
||||||
);
|
);
|
||||||
const erudaStr = process.env["LEMMY_UI_DEBUG"] ? renderToString(eruda) : "";
|
const erudaStr = process.env["LEMMY_UI_DEBUG"] ? renderToString(eruda) : "";
|
||||||
|
|
||||||
const root = renderToString(wrapper);
|
const root = renderToString(wrapper);
|
||||||
const symbols = renderToString(SYMBOLS);
|
const symbols = renderToString(SYMBOLS);
|
||||||
|
const cspStr = process.env.LEMMY_EXTERNAL_HOST
|
||||||
|
? renderToString(cspHtml)
|
||||||
|
: "";
|
||||||
const helmet = Helmet.renderStatic();
|
const helmet = Helmet.renderStatic();
|
||||||
|
|
||||||
const config: ILemmyConfig = { wsHost: process.env.LEMMY_WS_HOST };
|
const config: ILemmyConfig = { wsHost: process.env.LEMMY_WS_HOST };
|
||||||
|
@ -209,6 +208,9 @@ server.get("/*", async (req, res) => {
|
||||||
<meta charset="utf-8">
|
<meta charset="utf-8">
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
|
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
|
||||||
|
|
||||||
|
<!-- Content Security Policy -->
|
||||||
|
${cspStr}
|
||||||
|
|
||||||
<!-- Web app manifest -->
|
<!-- Web app manifest -->
|
||||||
<link rel="manifest" href="/static/assets/manifest.webmanifest">
|
<link rel="manifest" href="/static/assets/manifest.webmanifest">
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
import { isBrowser } from "./utils";
|
import { isBrowser } from "./utils";
|
||||||
|
|
||||||
const testHost = "0.0.0.0:8536";
|
const testHost = "127.0.0.1:8536";
|
||||||
|
|
||||||
let internalHost =
|
let internalHost =
|
||||||
(!isBrowser() && process.env.LEMMY_INTERNAL_HOST) || testHost; // used for local dev
|
(!isBrowser() && process.env.LEMMY_INTERNAL_HOST) || testHost; // used for local dev
|
||||||
|
@ -35,8 +35,7 @@ if (isBrowser()) {
|
||||||
|
|
||||||
export const httpBaseInternal = `http://${host}`; // Don't use secure here
|
export const httpBaseInternal = `http://${host}`; // Don't use secure here
|
||||||
export const httpBase = `http${secure}://${host}`;
|
export const httpBase = `http${secure}://${host}`;
|
||||||
export const wsUriBase = `ws${secure}://${wsHost}`;
|
export const wsUri = `ws${secure}://${wsHost}/api/v3/ws`;
|
||||||
export const wsUri = `${wsUriBase}/api/v3/ws`;
|
|
||||||
export const pictrsUri = `${httpBase}/pictrs/image`;
|
export const pictrsUri = `${httpBase}/pictrs/image`;
|
||||||
export const isHttps = secure.endsWith("s");
|
export const isHttps = secure.endsWith("s");
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue