LemmyNet/lemmy-ui
2
0
Fork 0
mirror of https://github.com/LemmyNet/lemmy-ui.git synced 2024-12-23 11:21:26 +00:00
Code Issues Projects Releases Wiki Activity

Set content security policy http header for all responses (#608)

Browse source
This commit is contained in:
Nutomic 2022-04-07 21:01:55 +00:00 committed by GitHub
parent 057a9ff4f5
commit f1c5c60c76
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
src/server/index.tsx
View file

@ -27,6 +27,13 @@ const [hostname, port] = process.env["LEMMY_UI_HOST"]
const extraThemesFolder = const extraThemesFolder =
process.env["LEMMY_UI_EXTRA_THEMES_FOLDER"] || "./extra_themes"; process.env["LEMMY_UI_EXTRA_THEMES_FOLDER"] || "./extra_themes";
server.use(function (_req, res, next) {
res.setHeader(
"Content-Security-Policy",
"default-src data: 'self'; connect-src * ws: wss:; frame-src *; img-src * data:; script-src 'self'; style-src 'self' 'unsafe-inline'; manifest-src 'self'"
);
next();
});
server.use(express.json()); server.use(express.json());
server.use(express.urlencoded({ extended: false })); server.use(express.urlencoded({ extended: false }));
server.use("/static", express.static(path.resolve("./dist"))); server.use("/static", express.static(path.resolve("./dist")));
@ -164,18 +171,8 @@ server.get("/*", async (req, res) => {
return res.redirect(context.url); return res.redirect(context.url);
} }
const cspHtml = (
<meta
http-equiv="Content-Security-Policy"
content="default-src data: 'self'; connect-src * ws: wss:; frame-src *; img-src * data:; script-src 'self'; style-src 'self' 'unsafe-inline'; manifest-src 'self'"
/>
);
const root = renderToString(wrapper); const root = renderToString(wrapper);
const symbols = renderToString(SYMBOLS); const symbols = renderToString(SYMBOLS);
const cspStr = process.env.LEMMY_EXTERNAL_HOST
? renderToString(cspHtml)
: "";
const helmet = Helmet.renderStatic(); const helmet = Helmet.renderStatic();
const config: ILemmyConfig = { wsHost: process.env.LEMMY_WS_HOST }; const config: ILemmyConfig = { wsHost: process.env.LEMMY_WS_HOST };
@ -200,9 +197,6 @@ server.get("/*", async (req, res) => {
<meta charset="utf-8"> <meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<!-- Content Security Policy -->
${cspStr}
<!-- Web app manifest --> <!-- Web app manifest -->
<link rel="manifest" href="/static/assets/manifest.webmanifest"> <link rel="manifest" href="/static/assets/manifest.webmanifest">