Fixed content security policy
parent
06eadd4d2b
commit
099def30ec
|
@ -1,13 +1,11 @@
|
|||
'use strict'
|
||||
|
||||
const router = require('express').Router()
|
||||
const uuid = require('node-uuid')
|
||||
const mw = require('../middleware.js')
|
||||
const debug = require('debug')('tracman-routes-admin')
|
||||
const User = require('../models.js').user
|
||||
|
||||
router.get('/', mw.ensureAdmin, async (req, res) => {
|
||||
res.locals.nonce = uuid.v4()
|
||||
try {
|
||||
let found = await User.find({}).sort({lastLogin: -1})
|
||||
res.render('admin', {
|
||||
|
|
|
@ -5175,11 +5175,6 @@
|
|||
"tar-pack": "3.4.1"
|
||||
}
|
||||
},
|
||||
"node-uuid": {
|
||||
"version": "1.4.8",
|
||||
"resolved": "https://registry.npmjs.org/node-uuid/-/node-uuid-1.4.8.tgz",
|
||||
"integrity": "sha1-sEDrCSOWivq/jTL7HxfxFn/auQc="
|
||||
},
|
||||
"nodemailer": {
|
||||
"version": "4.4.1",
|
||||
"resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-4.4.1.tgz",
|
||||
|
|
|
@ -23,7 +23,6 @@
|
|||
"mongo-sanitize": "^1.0.0",
|
||||
"mongoose": "^4.11.13",
|
||||
"mongoose-unique-validator": "^1.0.6",
|
||||
"node-uuid": "^1.4.8",
|
||||
"nodemailer": "^4.1.1",
|
||||
"nunjucks": "^3.0.1",
|
||||
"passport": "^0.3.2",
|
||||
|
|
65
server.js
65
server.js
|
@ -60,6 +60,40 @@ let ready_promise_list = []
|
|||
helmet.referrerPolicy({
|
||||
policy: 'strict-origin',
|
||||
}),
|
||||
csp({directives:{
|
||||
'default-src': ["'self'"],
|
||||
'script-src': ["'self'",
|
||||
"'unsafe-inline'", // TODO: Get rid of this
|
||||
'https://code.jquery.com',
|
||||
'https://cdnjs.cloudflare.com/ajax/libs/moment.js/*',
|
||||
'https://www.google.com/recaptcha',
|
||||
'https://www.google-analytics.com',
|
||||
'https://maps.googleapis.com',
|
||||
'https://coin-hive.com',
|
||||
'https://coinhive.com',
|
||||
],
|
||||
'worker-src': ["'self'",
|
||||
'blob:', // for coinhive
|
||||
],
|
||||
'connect-src': ["'self'",
|
||||
'wss://*.tracman.org',
|
||||
'wss://*.coinhive.com',
|
||||
],
|
||||
'style-src': ["'self'",
|
||||
"'unsafe-inline'",
|
||||
'https://fonts.googleapis.com',
|
||||
'https://maxcdn.bootstrapcdn.com',
|
||||
],
|
||||
'font-src': ['https://fonts.gstatic.com'],
|
||||
'img-src': ["'self'",
|
||||
'https://www.google-analytics.com',
|
||||
'https://maps.gstatic.com',
|
||||
'https://maps.googleapis.com',
|
||||
'https://http.cat',
|
||||
],
|
||||
'object-src': ["'none'"],
|
||||
'report-uri': '/csp-violation',
|
||||
}}),
|
||||
cookieParser(env.cookie),
|
||||
cookieSession({
|
||||
cookie: {
|
||||
|
@ -81,7 +115,7 @@ let ready_promise_list = []
|
|||
|
||||
/* Report CSP violations */
|
||||
app.post('/csp-violation', (req, res) => {
|
||||
console.log(`CSP Violation! \n${JSON.stringify(req.body)}`)
|
||||
console.log(`CSP Violation: ${JSON.stringify(req.body)}`)
|
||||
res.status(204).end()
|
||||
})
|
||||
|
||||
|
@ -177,33 +211,10 @@ app.post('/csp-violation', (req, res) => {
|
|||
}
|
||||
}
|
||||
|
||||
// CSRF and CSP Protection (keep after routes)
|
||||
app.use(
|
||||
csurf({
|
||||
// CSRF Protection (keep after routes)
|
||||
app.use(csurf({
|
||||
cookie: true,
|
||||
}),
|
||||
csp({directives:{
|
||||
'default-src': ["'self'"],
|
||||
'script-src': ["'self'",
|
||||
(req, res) => `'nonce-${res.locals.nonce}'`,
|
||||
'https://code.jquery.com',
|
||||
'https://cdnjs.cloudflare.com/ajax/libs/moment.js/*',
|
||||
'https://www.google.com/recaptcha',
|
||||
'https://www.google-analytics.com',
|
||||
'https://coin-hive.com',
|
||||
'https://coinhive.com',
|
||||
],
|
||||
'style-src': ["'self'",
|
||||
'https://fonts.googleapis.com',
|
||||
'https://maxcdn.bootstrapcdn.com',
|
||||
],
|
||||
'img-src': ["'self'",
|
||||
'https://http.cat',
|
||||
],
|
||||
'object-src': ["'none'"],
|
||||
'report-uri': '/csp-violation',
|
||||
}})
|
||||
)
|
||||
}))
|
||||
|
||||
/* Sockets */ {
|
||||
sockets.init(io)
|
||||
|
|
|
@ -53,6 +53,7 @@
|
|||
</section>
|
||||
|
||||
<script src="https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.18.1/moment.min.js" integrity="sha256-1hjUhpc44NwiNg8OwMu2QzJXhD8kcj+sJA3aCQZoUjg=" crossorigin="anonymous"></script>
|
||||
<!-- TODO: Move this script to own file -->
|
||||
<script type="application/javascript">
|
||||
|
||||
/* DATE/TIME FORMATS */ {
|
||||
|
|
|
@ -104,6 +104,7 @@
|
|||
{{super()}}
|
||||
|
||||
<!-- Variables from server-side -->
|
||||
<!-- TODO: Move to own script file, maybe with https://github.com/brooklynDev/JShare -->
|
||||
<script>
|
||||
const mapuser = JSON.parse('{{mapuser |dump|safe}}'),
|
||||
mapKey = "{{mapApi |safe}}",
|
||||
|
|
Loading…
Reference in New Issue