Fixed content security policy

config/routes/admin.js

@@ -1,13 +1,11 @@
 'use strict'
 
 const router = require('express').Router()
-const uuid = require('node-uuid')
 const mw = require('../middleware.js')
 const debug = require('debug')('tracman-routes-admin')
 const User = require('../models.js').user
 
 router.get('/', mw.ensureAdmin, async (req, res) => {
-  res.locals.nonce = uuid.v4()
   try {
     let found = await User.find({}).sort({lastLogin: -1})
     res.render('admin', {

package-lock.json

@@ -5175,11 +5175,6 @@
         "tar-pack": "3.4.1"
       }
     },
-    "node-uuid": {
-      "version": "1.4.8",
-      "resolved": "https://registry.npmjs.org/node-uuid/-/node-uuid-1.4.8.tgz",
-      "integrity": "sha1-sEDrCSOWivq/jTL7HxfxFn/auQc="
-    },
     "nodemailer": {
       "version": "4.4.1",
       "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-4.4.1.tgz",

package.json

@@ -23,7 +23,6 @@
     "mongo-sanitize": "^1.0.0",
     "mongoose": "^4.11.13",
     "mongoose-unique-validator": "^1.0.6",
-    "node-uuid": "^1.4.8",
     "nodemailer": "^4.1.1",
     "nunjucks": "^3.0.1",
     "passport": "^0.3.2",

server.js

@@ -60,6 +60,40 @@ let ready_promise_list = []
   helmet.referrerPolicy({
     policy: 'strict-origin',
   }),
+  csp({directives:{
+    'default-src': ["'self'"],
+    'script-src': ["'self'",
+      "'unsafe-inline'", // TODO: Get rid of this
+      'https://code.jquery.com',
+      'https://cdnjs.cloudflare.com/ajax/libs/moment.js/*',
+      'https://www.google.com/recaptcha',
+      'https://www.google-analytics.com',
+      'https://maps.googleapis.com',
+      'https://coin-hive.com',
+      'https://coinhive.com',
+    ],
+    'worker-src': ["'self'",
+      'blob:', // for coinhive
+    ],
+    'connect-src': ["'self'",
+      'wss://*.tracman.org',
+      'wss://*.coinhive.com',
+    ],
+    'style-src': ["'self'",
+      "'unsafe-inline'",
+      'https://fonts.googleapis.com',
+      'https://maxcdn.bootstrapcdn.com',
+    ],
+    'font-src': ['https://fonts.gstatic.com'],
+    'img-src': ["'self'",
+      'https://www.google-analytics.com',
+      'https://maps.gstatic.com',
+      'https://maps.googleapis.com',
+      'https://http.cat',
+    ],
+    'object-src': ["'none'"],
+    'report-uri': '/csp-violation',
+  }}),
   cookieParser(env.cookie),
   cookieSession({
     cookie: {
@@ -81,7 +115,7 @@ let ready_promise_list = []
 
 /* Report CSP violations */
 app.post('/csp-violation', (req, res) => {
-  console.log(`CSP Violation! \n${JSON.stringify(req.body)}`)
+  console.log(`CSP Violation: ${JSON.stringify(req.body)}`)
   res.status(204).end()
 })
 
@@ -177,33 +211,10 @@ app.post('/csp-violation', (req, res) => {
   }
 }
 
-// CSRF and CSP Protection (keep after routes)
-app.use(
-  csurf({
+// CSRF Protection (keep after routes)
+app.use(csurf({
     cookie: true,
-  }),
-  csp({directives:{
-    'default-src': ["'self'"],
-    'script-src': ["'self'",
-      (req, res) => `'nonce-${res.locals.nonce}'`,
-      'https://code.jquery.com',
-      'https://cdnjs.cloudflare.com/ajax/libs/moment.js/*',
-      'https://www.google.com/recaptcha',
-      'https://www.google-analytics.com',
-      'https://coin-hive.com',
-      'https://coinhive.com',
-    ],
-    'style-src': ["'self'",
-      'https://fonts.googleapis.com',
-      'https://maxcdn.bootstrapcdn.com',
-    ],
-    'img-src': ["'self'",
-      'https://http.cat',
-    ],
-    'object-src': ["'none'"],
-    'report-uri': '/csp-violation',
-  }})
-)
+  }))
 
 /* Sockets */ {
   sockets.init(io)

views/admin.html

@@ -53,6 +53,7 @@
 	</section>
 
 	<script src="https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.18.1/moment.min.js" integrity="sha256-1hjUhpc44NwiNg8OwMu2QzJXhD8kcj+sJA3aCQZoUjg=" crossorigin="anonymous"></script>
+	<!-- TODO: Move this script to own file -->
 	<script type="application/javascript">
 	
 		/* DATE/TIME FORMATS */ {

views/map.html

@@ -104,6 +104,7 @@
 {{super()}}
 
 	<!-- Variables from server-side -->
+	<!-- TODO: Move to own script file, maybe with https://github.com/brooklynDev/JShare -->
 	<script>
 		const mapuser = JSON.parse('{{mapuser |dump|safe}}'),
 			mapKey = "{{mapApi |safe}}",