jeena/PeerTube
1
0
Fork 0
Code Issues Pull requests Projects Packages Wiki Activity Actions

Update server dependencies

Browse source
This commit is contained in:
Chocobozzz 2020-08-25 13:54:59 +02:00
parent f27624e8bf
commit 50fcdebdb1
No known key found for this signature in database
GPG key ID: 583A612D890159BE
4 changed files with 796 additions and 902 deletions
Download patch file Download diff file Expand all files Collapse all files

2
server/initializers/config.ts
View file

@ -125,7 +125,7 @@ const CONFIG = {
CSP: {
ENABLED: config.get<boolean>('csp.enabled'),
REPORT_ONLY: config.get<boolean>('csp.report_only'),
REPORT_URI: config.get<boolean>('csp.report_uri')
REPORT_URI: config.get<string>('csp.report_uri')
},
TRACKER: {
ENABLED: config.get<boolean>('tracker.enabled'),

4
server/middlewares/csp.ts
View file

@ -19,18 +19,16 @@ const baseDirectives = Object.assign({},
workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src
},
CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},
CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {}
CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: [] } : {}
)
const baseCSP = helmet.contentSecurityPolicy({
directives: baseDirectives,
browserSniff: false,
reportOnly: CONFIG.CSP.REPORT_ONLY
})
const embedCSP = helmet.contentSecurityPolicy({
directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }),
browserSniff: false, // assumes a modern browser, but allows CDN in front
reportOnly: CONFIG.CSP.REPORT_ONLY
})