diff --git a/config/routes/admin.js b/config/routes/admin.js
index f05d554..e3299b7 100755
--- a/config/routes/admin.js
+++ b/config/routes/admin.js
@@ -1,13 +1,11 @@
'use strict'
const router = require('express').Router()
-const uuid = require('node-uuid')
const mw = require('../middleware.js')
const debug = require('debug')('tracman-routes-admin')
const User = require('../models.js').user
router.get('/', mw.ensureAdmin, async (req, res) => {
- res.locals.nonce = uuid.v4()
try {
let found = await User.find({}).sort({lastLogin: -1})
res.render('admin', {
diff --git a/package-lock.json b/package-lock.json
index a3e1c0a..097175b 100755
--- a/package-lock.json
+++ b/package-lock.json
@@ -5175,11 +5175,6 @@
"tar-pack": "3.4.1"
}
},
- "node-uuid": {
- "version": "1.4.8",
- "resolved": "https://registry.npmjs.org/node-uuid/-/node-uuid-1.4.8.tgz",
- "integrity": "sha1-sEDrCSOWivq/jTL7HxfxFn/auQc="
- },
"nodemailer": {
"version": "4.4.1",
"resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-4.4.1.tgz",
diff --git a/package.json b/package.json
index 7720738..7fe485e 100755
--- a/package.json
+++ b/package.json
@@ -23,7 +23,6 @@
"mongo-sanitize": "^1.0.0",
"mongoose": "^4.11.13",
"mongoose-unique-validator": "^1.0.6",
- "node-uuid": "^1.4.8",
"nodemailer": "^4.1.1",
"nunjucks": "^3.0.1",
"passport": "^0.3.2",
diff --git a/server.js b/server.js
index e93052e..a6381ca 100755
--- a/server.js
+++ b/server.js
@@ -60,6 +60,40 @@ let ready_promise_list = []
helmet.referrerPolicy({
policy: 'strict-origin',
}),
+ csp({directives:{
+ 'default-src': ["'self'"],
+ 'script-src': ["'self'",
+ "'unsafe-inline'", // TODO: Get rid of this
+ 'https://code.jquery.com',
+ 'https://cdnjs.cloudflare.com/ajax/libs/moment.js/*',
+ 'https://www.google.com/recaptcha',
+ 'https://www.google-analytics.com',
+ 'https://maps.googleapis.com',
+ 'https://coin-hive.com',
+ 'https://coinhive.com',
+ ],
+ 'worker-src': ["'self'",
+ 'blob:', // for coinhive
+ ],
+ 'connect-src': ["'self'",
+ 'wss://*.tracman.org',
+ 'wss://*.coinhive.com',
+ ],
+ 'style-src': ["'self'",
+ "'unsafe-inline'",
+ 'https://fonts.googleapis.com',
+ 'https://maxcdn.bootstrapcdn.com',
+ ],
+ 'font-src': ['https://fonts.gstatic.com'],
+ 'img-src': ["'self'",
+ 'https://www.google-analytics.com',
+ 'https://maps.gstatic.com',
+ 'https://maps.googleapis.com',
+ 'https://http.cat',
+ ],
+ 'object-src': ["'none'"],
+ 'report-uri': '/csp-violation',
+ }}),
cookieParser(env.cookie),
cookieSession({
cookie: {
@@ -81,7 +115,7 @@ let ready_promise_list = []
/* Report CSP violations */
app.post('/csp-violation', (req, res) => {
- console.log(`CSP Violation! \n${JSON.stringify(req.body)}`)
+ console.log(`CSP Violation: ${JSON.stringify(req.body)}`)
res.status(204).end()
})
@@ -177,33 +211,10 @@ app.post('/csp-violation', (req, res) => {
}
}
-// CSRF and CSP Protection (keep after routes)
-app.use(
- csurf({
+// CSRF Protection (keep after routes)
+app.use(csurf({
cookie: true,
- }),
- csp({directives:{
- 'default-src': ["'self'"],
- 'script-src': ["'self'",
- (req, res) => `'nonce-${res.locals.nonce}'`,
- 'https://code.jquery.com',
- 'https://cdnjs.cloudflare.com/ajax/libs/moment.js/*',
- 'https://www.google.com/recaptcha',
- 'https://www.google-analytics.com',
- 'https://coin-hive.com',
- 'https://coinhive.com',
- ],
- 'style-src': ["'self'",
- 'https://fonts.googleapis.com',
- 'https://maxcdn.bootstrapcdn.com',
- ],
- 'img-src': ["'self'",
- 'https://http.cat',
- ],
- 'object-src': ["'none'"],
- 'report-uri': '/csp-violation',
- }})
-)
+ }))
/* Sockets */ {
sockets.init(io)
diff --git a/views/admin.html b/views/admin.html
index 998351a..ec9b549 100755
--- a/views/admin.html
+++ b/views/admin.html
@@ -53,6 +53,7 @@
+