From 57bf30a984ccbe58e1506f903055a15c1ddaf8f2 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Tue, 17 Jul 2018 18:44:47 +0200 Subject: [PATCH] Fix CSP --- server.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/server.ts b/server.ts index b23ec5105..104de2153 100644 --- a/server.ts +++ b/server.ts @@ -27,7 +27,7 @@ import { checkMissedConfig, checkFFmpeg, checkConfig, checkActivityPubUrls } fro // Do not use barrels because we don't want to load all modules here (we need to initialize database first) import { logger } from './server/helpers/logger' -import { API_VERSION, CONFIG, STATIC_PATHS, CACHE } from './server/initializers/constants' +import { API_VERSION, CONFIG, STATIC_PATHS, CACHE, REMOTE_SCHEME } from './server/initializers/constants' const missed = checkMissedConfig() if (missed.length !== 0) { @@ -59,14 +59,14 @@ app.use(helmet({ }, contentSecurityPolicy: { directives: { - defaultSrc: ['*', 'data:', 'wss:', 'https:'], + defaultSrc: ['*', 'data:', REMOTE_SCHEME.WS + ':', REMOTE_SCHEME.HTTP + ':'], fontSrc: ["'self'", 'data:'], frameSrc: ["'none'"], - mediaSrc: ['*', 'https:'], + mediaSrc: ['*', REMOTE_SCHEME.HTTP + ':'], objectSrc: ["'none'"], scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"], styleSrc: ["'self'", "'unsafe-inline'"], - upgradeInsecureRequests: true + upgradeInsecureRequests: false }, browserSniff: false // assumes a modern browser, but allows CDN in front },