From: Nutomic <me@nutomic.com> Date: Thu, 7 Apr 2022 21:01:55 +0000 (+0000) Subject: Set content security policy http header for all responses (#608) X-Git-Url: http://these/git/%7B%60/feeds/README.md?a=commitdiff_plain;h=f1c5c60c76e2ac4c3b4d812f86c15c5bac847816;p=lemmy-ui.git Set content security policy http header for all responses (#608) --- diff --git a/src/server/index.tsx b/src/server/index.tsx index 7b83760..1bf3759 100644 --- a/src/server/index.tsx +++ b/src/server/index.tsx @@ -27,6 +27,13 @@ const [hostname, port] = process.env["LEMMY_UI_HOST"] const extraThemesFolder = process.env["LEMMY_UI_EXTRA_THEMES_FOLDER"] || "./extra_themes"; +server.use(function (_req, res, next) { + res.setHeader( + "Content-Security-Policy", + "default-src data: 'self'; connect-src * ws: wss:; frame-src *; img-src * data:; script-src 'self'; style-src 'self' 'unsafe-inline'; manifest-src 'self'" + ); + next(); +}); server.use(express.json()); server.use(express.urlencoded({ extended: false })); server.use("/static", express.static(path.resolve("./dist"))); @@ -164,18 +171,8 @@ server.get("/*", async (req, res) => { return res.redirect(context.url); } - const cspHtml = ( - <meta - http-equiv="Content-Security-Policy" - content="default-src data: 'self'; connect-src * ws: wss:; frame-src *; img-src * data:; script-src 'self'; style-src 'self' 'unsafe-inline'; manifest-src 'self'" - /> - ); - const root = renderToString(wrapper); const symbols = renderToString(SYMBOLS); - const cspStr = process.env.LEMMY_EXTERNAL_HOST - ? renderToString(cspHtml) - : ""; const helmet = Helmet.renderStatic(); const config: ILemmyConfig = { wsHost: process.env.LEMMY_WS_HOST }; @@ -200,9 +197,6 @@ server.get("/*", async (req, res) => { <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> - <!-- Content Security Policy --> - ${cspStr} - <!-- Web app manifest --> <link rel="manifest" href="/static/assets/manifest.webmanifest">