mirror of https://github.com/Chocobozzz/PeerTube
BREAKING: update CSP configuration
Disable it by default and add ability to specify a custom report uripull/1697/head
parent
c8000975d3
commit
539d3f4faa
|
@ -96,6 +96,11 @@ redundancy:
|
||||||
# strategy: 'recently-added' # Cache recently added videos
|
# strategy: 'recently-added' # Cache recently added videos
|
||||||
# min_views: 10 # Having at least x views
|
# min_views: 10 # Having at least x views
|
||||||
|
|
||||||
|
csp:
|
||||||
|
enabled: false
|
||||||
|
report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
|
||||||
|
report_uri:
|
||||||
|
|
||||||
cache:
|
cache:
|
||||||
previews:
|
previews:
|
||||||
size: 500 # Max number of previews you want to cache
|
size: 500 # Max number of previews you want to cache
|
||||||
|
@ -182,8 +187,6 @@ instance:
|
||||||
"# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
|
"# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
|
||||||
|
|
||||||
services:
|
services:
|
||||||
# You can provide a reporting endpoint for Content Security Policy violations
|
|
||||||
csp-logger:
|
|
||||||
# Cards configuration to format video in Twitter
|
# Cards configuration to format video in Twitter
|
||||||
twitter:
|
twitter:
|
||||||
username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
|
username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
|
||||||
|
|
|
@ -97,6 +97,12 @@ redundancy:
|
||||||
# strategy: 'recently-added' # Cache recently added videos
|
# strategy: 'recently-added' # Cache recently added videos
|
||||||
# min_views: 10 # Having at least x views
|
# min_views: 10 # Having at least x views
|
||||||
|
|
||||||
|
csp:
|
||||||
|
enabled: false
|
||||||
|
report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
|
||||||
|
report_uri:
|
||||||
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#
|
#
|
||||||
# From this point, all the following keys can be overridden by the web interface
|
# From this point, all the following keys can be overridden by the web interface
|
||||||
|
|
16
server.ts
16
server.ts
|
@ -55,13 +55,15 @@ app.set('trust proxy', CONFIG.TRUST_PROXY)
|
||||||
// Security middleware
|
// Security middleware
|
||||||
import { baseCSP } from './server/middlewares'
|
import { baseCSP } from './server/middlewares'
|
||||||
|
|
||||||
app.use(baseCSP)
|
if (CONFIG.CSP.ENABLED) {
|
||||||
app.use(helmet({
|
app.use(baseCSP)
|
||||||
frameguard: {
|
app.use(helmet({
|
||||||
action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
|
frameguard: {
|
||||||
},
|
action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
|
||||||
hsts: false
|
},
|
||||||
}))
|
hsts: false
|
||||||
|
}))
|
||||||
|
}
|
||||||
|
|
||||||
// ----------- Database -----------
|
// ----------- Database -----------
|
||||||
|
|
||||||
|
|
|
@ -34,6 +34,12 @@ async function checkActivityPubUrls () {
|
||||||
// Return an error message, or null if everything is okay
|
// Return an error message, or null if everything is okay
|
||||||
function checkConfig () {
|
function checkConfig () {
|
||||||
|
|
||||||
|
// Moved configuration keys
|
||||||
|
if (config.has('services.csp-logger')) {
|
||||||
|
logger.warn('services.csp-logger configuration has been renamed to csp.report_uri. Please update your configuration file.')
|
||||||
|
}
|
||||||
|
|
||||||
|
// Email verification
|
||||||
if (!Emailer.isEnabled()) {
|
if (!Emailer.isEnabled()) {
|
||||||
if (CONFIG.SIGNUP.ENABLED && CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) {
|
if (CONFIG.SIGNUP.ENABLED && CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) {
|
||||||
return 'Emailer is disabled but you require signup email verification.'
|
return 'Emailer is disabled but you require signup email verification.'
|
||||||
|
|
|
@ -15,6 +15,7 @@ function checkMissedConfig () {
|
||||||
'storage.redundancy', 'storage.tmp', 'storage.playlists',
|
'storage.redundancy', 'storage.tmp', 'storage.playlists',
|
||||||
'log.level',
|
'log.level',
|
||||||
'user.video_quota', 'user.video_quota_daily',
|
'user.video_quota', 'user.video_quota_daily',
|
||||||
|
'csp.enabled', 'csp.report_only', 'csp.report_uri',
|
||||||
'cache.previews.size', 'admin.email', 'contact_form.enabled',
|
'cache.previews.size', 'admin.email', 'contact_form.enabled',
|
||||||
'signup.enabled', 'signup.limit', 'signup.requires_email_verification',
|
'signup.enabled', 'signup.limit', 'signup.requires_email_verification',
|
||||||
'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist',
|
'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist',
|
||||||
|
|
|
@ -229,6 +229,11 @@ const CONFIG = {
|
||||||
STRATEGIES: buildVideosRedundancy(config.get<any[]>('redundancy.videos.strategies'))
|
STRATEGIES: buildVideosRedundancy(config.get<any[]>('redundancy.videos.strategies'))
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
CSP: {
|
||||||
|
ENABLED: config.get<boolean>('csp.enabled'),
|
||||||
|
REPORT_ONLY: config.get<boolean>('csp.report_only'),
|
||||||
|
REPORT_URI: config.get<boolean>('csp.report_uri')
|
||||||
|
},
|
||||||
ADMIN: {
|
ADMIN: {
|
||||||
get EMAIL () { return config.get<string>('admin.email') }
|
get EMAIL () { return config.get<string>('admin.email') }
|
||||||
},
|
},
|
||||||
|
@ -300,7 +305,6 @@ const CONFIG = {
|
||||||
get SECURITYTXT_CONTACT () { return config.get<string>('admin.email') }
|
get SECURITYTXT_CONTACT () { return config.get<string>('admin.email') }
|
||||||
},
|
},
|
||||||
SERVICES: {
|
SERVICES: {
|
||||||
get 'CSP-LOGGER' () { return config.get<string>('services.csp-logger') },
|
|
||||||
TWITTER: {
|
TWITTER: {
|
||||||
get USERNAME () { return config.get<string>('services.twitter.username') },
|
get USERNAME () { return config.get<string>('services.twitter.username') },
|
||||||
get WHITELISTED () { return config.get<boolean>('services.twitter.whitelisted') }
|
get WHITELISTED () { return config.get<boolean>('services.twitter.whitelisted') }
|
||||||
|
|
|
@ -18,22 +18,20 @@ const baseDirectives = Object.assign({},
|
||||||
frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed
|
frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed
|
||||||
workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src
|
workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src
|
||||||
},
|
},
|
||||||
CONFIG.SERVICES['CSP-LOGGER'] ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {},
|
CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},
|
||||||
CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {}
|
CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {}
|
||||||
)
|
)
|
||||||
|
|
||||||
const baseCSP = helmet.contentSecurityPolicy({
|
const baseCSP = helmet.contentSecurityPolicy({
|
||||||
directives: baseDirectives,
|
directives: baseDirectives,
|
||||||
browserSniff: false,
|
browserSniff: false,
|
||||||
reportOnly: true
|
reportOnly: CONFIG.CSP.REPORT_ONLY
|
||||||
})
|
})
|
||||||
|
|
||||||
const embedCSP = helmet.contentSecurityPolicy({
|
const embedCSP = helmet.contentSecurityPolicy({
|
||||||
directives: Object.assign(baseDirectives, {
|
directives: Object.assign({}, baseDirectives, { frameAncestors: ['*'] }),
|
||||||
frameAncestors: ['*']
|
|
||||||
}),
|
|
||||||
browserSniff: false, // assumes a modern browser, but allows CDN in front
|
browserSniff: false, // assumes a modern browser, but allows CDN in front
|
||||||
reportOnly: true
|
reportOnly: CONFIG.CSP.REPORT_ONLY
|
||||||
})
|
})
|
||||||
|
|
||||||
// ---------------------------------------------------------------------------
|
// ---------------------------------------------------------------------------
|
||||||
|
|
|
@ -111,6 +111,3 @@ instance:
|
||||||
name: "PEERTUBE_INSTANCE_NAME"
|
name: "PEERTUBE_INSTANCE_NAME"
|
||||||
description: "PEERTUBE_INSTANCE_DESCRIPTION"
|
description: "PEERTUBE_INSTANCE_DESCRIPTION"
|
||||||
terms: "PEERTUBE_INSTANCE_TERMS"
|
terms: "PEERTUBE_INSTANCE_TERMS"
|
||||||
|
|
||||||
services:
|
|
||||||
csp-logger: "PEERTUBE_SERVICES_CSPLOGGER"
|
|
||||||
|
|
Loading…
Reference in New Issue