(quickfix) loosening CSP

2018-07-17 16:36:07 +02:00 · 2018-07-17 16:36:07 +02:00 · aa1c3d929f
parent 62945f067b
commit aa1c3d929f
1 changed files with 16 additions and 3 deletions
--- a/server.ts
+++ b/server.ts
@ -59,12 +59,13 @@ app.use(helmet({
  },
  contentSecurityPolicy: {
    directives: {
-      fontSrc: ["'self'"],
+      defaultSrc: ['*', 'data:', 'wss:', 'https:'],
+      fontSrc: ["'self'", 'data:'],
      frameSrc: ["'none'"],
      mediaSrc: ['*', 'https:'],
      objectSrc: ["'none'"],
-      scriptSrc: ["'self'"],
-      styleSrc: ["'self'"],
+      scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
      upgradeInsecureRequests: true
    },
    browserSniff: false // assumes a modern browser, but allows CDN in front
@ -73,6 +74,18 @@ app.use(helmet({
    policy: 'strict-origin-when-cross-origin'
  }
 }))
+app.use((_, res, next) => {
+  [
+    "vibrate 'none'",
+    "geolocation 'none'",
+    "camera 'none'",
+    "microphone 'none'",
+    "magnetometer 'none'",
+    "payment 'none'",
+    "accelerometer 'none'"
+  ].forEach(e => res.append('Feature-Policy', e + ';'))
+  next()
+})

 // ----------- Database -----------