Fixed content security policy
parent
06eadd4d2b
commit
099def30ec
|
@ -1,13 +1,11 @@
|
||||||
'use strict'
|
'use strict'
|
||||||
|
|
||||||
const router = require('express').Router()
|
const router = require('express').Router()
|
||||||
const uuid = require('node-uuid')
|
|
||||||
const mw = require('../middleware.js')
|
const mw = require('../middleware.js')
|
||||||
const debug = require('debug')('tracman-routes-admin')
|
const debug = require('debug')('tracman-routes-admin')
|
||||||
const User = require('../models.js').user
|
const User = require('../models.js').user
|
||||||
|
|
||||||
router.get('/', mw.ensureAdmin, async (req, res) => {
|
router.get('/', mw.ensureAdmin, async (req, res) => {
|
||||||
res.locals.nonce = uuid.v4()
|
|
||||||
try {
|
try {
|
||||||
let found = await User.find({}).sort({lastLogin: -1})
|
let found = await User.find({}).sort({lastLogin: -1})
|
||||||
res.render('admin', {
|
res.render('admin', {
|
||||||
|
|
|
@ -5175,11 +5175,6 @@
|
||||||
"tar-pack": "3.4.1"
|
"tar-pack": "3.4.1"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node-uuid": {
|
|
||||||
"version": "1.4.8",
|
|
||||||
"resolved": "https://registry.npmjs.org/node-uuid/-/node-uuid-1.4.8.tgz",
|
|
||||||
"integrity": "sha1-sEDrCSOWivq/jTL7HxfxFn/auQc="
|
|
||||||
},
|
|
||||||
"nodemailer": {
|
"nodemailer": {
|
||||||
"version": "4.4.1",
|
"version": "4.4.1",
|
||||||
"resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-4.4.1.tgz",
|
"resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-4.4.1.tgz",
|
||||||
|
|
|
@ -23,7 +23,6 @@
|
||||||
"mongo-sanitize": "^1.0.0",
|
"mongo-sanitize": "^1.0.0",
|
||||||
"mongoose": "^4.11.13",
|
"mongoose": "^4.11.13",
|
||||||
"mongoose-unique-validator": "^1.0.6",
|
"mongoose-unique-validator": "^1.0.6",
|
||||||
"node-uuid": "^1.4.8",
|
|
||||||
"nodemailer": "^4.1.1",
|
"nodemailer": "^4.1.1",
|
||||||
"nunjucks": "^3.0.1",
|
"nunjucks": "^3.0.1",
|
||||||
"passport": "^0.3.2",
|
"passport": "^0.3.2",
|
||||||
|
|
65
server.js
65
server.js
|
@ -60,6 +60,40 @@ let ready_promise_list = []
|
||||||
helmet.referrerPolicy({
|
helmet.referrerPolicy({
|
||||||
policy: 'strict-origin',
|
policy: 'strict-origin',
|
||||||
}),
|
}),
|
||||||
|
csp({directives:{
|
||||||
|
'default-src': ["'self'"],
|
||||||
|
'script-src': ["'self'",
|
||||||
|
"'unsafe-inline'", // TODO: Get rid of this
|
||||||
|
'https://code.jquery.com',
|
||||||
|
'https://cdnjs.cloudflare.com/ajax/libs/moment.js/*',
|
||||||
|
'https://www.google.com/recaptcha',
|
||||||
|
'https://www.google-analytics.com',
|
||||||
|
'https://maps.googleapis.com',
|
||||||
|
'https://coin-hive.com',
|
||||||
|
'https://coinhive.com',
|
||||||
|
],
|
||||||
|
'worker-src': ["'self'",
|
||||||
|
'blob:', // for coinhive
|
||||||
|
],
|
||||||
|
'connect-src': ["'self'",
|
||||||
|
'wss://*.tracman.org',
|
||||||
|
'wss://*.coinhive.com',
|
||||||
|
],
|
||||||
|
'style-src': ["'self'",
|
||||||
|
"'unsafe-inline'",
|
||||||
|
'https://fonts.googleapis.com',
|
||||||
|
'https://maxcdn.bootstrapcdn.com',
|
||||||
|
],
|
||||||
|
'font-src': ['https://fonts.gstatic.com'],
|
||||||
|
'img-src': ["'self'",
|
||||||
|
'https://www.google-analytics.com',
|
||||||
|
'https://maps.gstatic.com',
|
||||||
|
'https://maps.googleapis.com',
|
||||||
|
'https://http.cat',
|
||||||
|
],
|
||||||
|
'object-src': ["'none'"],
|
||||||
|
'report-uri': '/csp-violation',
|
||||||
|
}}),
|
||||||
cookieParser(env.cookie),
|
cookieParser(env.cookie),
|
||||||
cookieSession({
|
cookieSession({
|
||||||
cookie: {
|
cookie: {
|
||||||
|
@ -81,7 +115,7 @@ let ready_promise_list = []
|
||||||
|
|
||||||
/* Report CSP violations */
|
/* Report CSP violations */
|
||||||
app.post('/csp-violation', (req, res) => {
|
app.post('/csp-violation', (req, res) => {
|
||||||
console.log(`CSP Violation! \n${JSON.stringify(req.body)}`)
|
console.log(`CSP Violation: ${JSON.stringify(req.body)}`)
|
||||||
res.status(204).end()
|
res.status(204).end()
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@ -177,33 +211,10 @@ app.post('/csp-violation', (req, res) => {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// CSRF and CSP Protection (keep after routes)
|
// CSRF Protection (keep after routes)
|
||||||
app.use(
|
app.use(csurf({
|
||||||
csurf({
|
|
||||||
cookie: true,
|
cookie: true,
|
||||||
}),
|
}))
|
||||||
csp({directives:{
|
|
||||||
'default-src': ["'self'"],
|
|
||||||
'script-src': ["'self'",
|
|
||||||
(req, res) => `'nonce-${res.locals.nonce}'`,
|
|
||||||
'https://code.jquery.com',
|
|
||||||
'https://cdnjs.cloudflare.com/ajax/libs/moment.js/*',
|
|
||||||
'https://www.google.com/recaptcha',
|
|
||||||
'https://www.google-analytics.com',
|
|
||||||
'https://coin-hive.com',
|
|
||||||
'https://coinhive.com',
|
|
||||||
],
|
|
||||||
'style-src': ["'self'",
|
|
||||||
'https://fonts.googleapis.com',
|
|
||||||
'https://maxcdn.bootstrapcdn.com',
|
|
||||||
],
|
|
||||||
'img-src': ["'self'",
|
|
||||||
'https://http.cat',
|
|
||||||
],
|
|
||||||
'object-src': ["'none'"],
|
|
||||||
'report-uri': '/csp-violation',
|
|
||||||
}})
|
|
||||||
)
|
|
||||||
|
|
||||||
/* Sockets */ {
|
/* Sockets */ {
|
||||||
sockets.init(io)
|
sockets.init(io)
|
||||||
|
|
|
@ -53,6 +53,7 @@
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<script src="https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.18.1/moment.min.js" integrity="sha256-1hjUhpc44NwiNg8OwMu2QzJXhD8kcj+sJA3aCQZoUjg=" crossorigin="anonymous"></script>
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.18.1/moment.min.js" integrity="sha256-1hjUhpc44NwiNg8OwMu2QzJXhD8kcj+sJA3aCQZoUjg=" crossorigin="anonymous"></script>
|
||||||
|
<!-- TODO: Move this script to own file -->
|
||||||
<script type="application/javascript">
|
<script type="application/javascript">
|
||||||
|
|
||||||
/* DATE/TIME FORMATS */ {
|
/* DATE/TIME FORMATS */ {
|
||||||
|
|
|
@ -104,6 +104,7 @@
|
||||||
{{super()}}
|
{{super()}}
|
||||||
|
|
||||||
<!-- Variables from server-side -->
|
<!-- Variables from server-side -->
|
||||||
|
<!-- TODO: Move to own script file, maybe with https://github.com/brooklynDev/JShare -->
|
||||||
<script>
|
<script>
|
||||||
const mapuser = JSON.parse('{{mapuser |dump|safe}}'),
|
const mapuser = JSON.parse('{{mapuser |dump|safe}}'),
|
||||||
mapKey = "{{mapApi |safe}}",
|
mapKey = "{{mapApi |safe}}",
|
||||||
|
|
Loading…
Reference in New Issue