From b77689ebd14992e01b0cd0a2d7ce7b5f488fa05a Mon Sep 17 00:00:00 2001 From: Nutomic Date: Fri, 6 May 2022 03:12:42 +0000 Subject: [PATCH] Set content security policy http header for all responses (#621) * Set content security policy http header for all responses * add unsafe-eval * fix websocket debug --- src/server/index.tsx | 28 +++++++++++++--------------- src/shared/env.ts | 5 +++-- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/src/server/index.tsx b/src/server/index.tsx index d8eb807..cdd0f0a 100644 --- a/src/server/index.tsx +++ b/src/server/index.tsx @@ -11,7 +11,7 @@ import process from "process"; import serialize from "serialize-javascript"; import { App } from "../shared/components/app/app"; import { SYMBOLS } from "../shared/components/common/symbols"; -import { httpBaseInternal } from "../shared/env"; +import { httpBaseInternal, wsUriBase } from "../shared/env"; import { ILemmyConfig, InitialFetchRequest, @@ -27,6 +27,18 @@ const [hostname, port] = process.env["LEMMY_UI_HOST"] const extraThemesFolder = process.env["LEMMY_UI_EXTRA_THEMES_FOLDER"] || "./extra_themes"; +server.use(function (_req, res, next) { + // in debug mode, websocket backend may be on another port, so we need to permit it in csp policy + var websocketBackend; + if (process.env.NODE_ENV == "development") { + websocketBackend = wsUriBase; + } + res.setHeader( + "Content-Security-Policy", + `default-src 'none'; connect-src 'self' ${websocketBackend}; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'` + ); + next(); +}); server.use(express.json()); server.use(express.urlencoded({ extended: false })); server.use("/static", express.static(path.resolve("./dist"))); @@ -166,13 +178,6 @@ server.get("/*", async (req, res) => { return res.redirect(context.url); } - const cspHtml = ( - - ); - const eruda = ( <> @@ -180,12 +185,8 @@ server.get("/*", async (req, res) => { ); const erudaStr = process.env["LEMMY_UI_DEBUG"] ? renderToString(eruda) : ""; - const root = renderToString(wrapper); const symbols = renderToString(SYMBOLS); - const cspStr = process.env.LEMMY_EXTERNAL_HOST - ? renderToString(cspHtml) - : ""; const helmet = Helmet.renderStatic(); const config: ILemmyConfig = { wsHost: process.env.LEMMY_WS_HOST }; @@ -208,9 +209,6 @@ server.get("/*", async (req, res) => { - - ${cspStr} - diff --git a/src/shared/env.ts b/src/shared/env.ts index 3b93882..238cd5d 100644 --- a/src/shared/env.ts +++ b/src/shared/env.ts @@ -1,6 +1,6 @@ import { isBrowser } from "./utils"; -const testHost = "127.0.0.1:8536"; +const testHost = "0.0.0.0:8536"; let internalHost = (!isBrowser() && process.env.LEMMY_INTERNAL_HOST) || testHost; // used for local dev @@ -35,7 +35,8 @@ if (isBrowser()) { export const httpBaseInternal = `http://${host}`; // Don't use secure here export const httpBase = `http${secure}://${host}`; -export const wsUri = `ws${secure}://${wsHost}/api/v3/ws`; +export const wsUriBase = `ws${secure}://${wsHost}`; +export const wsUri = `${wsUriBase}/api/v3/ws`; export const pictrsUri = `${httpBase}/pictrs/image`; export const isHttps = secure.endsWith("s"); -- 2.44.1