Change CSP rule for connect-src (websocket) to wildcard (fixes #730) (#737)

author Nutomic <me@nutomic.com>

Wed, 3 Aug 2022 21:33:17 +0000 (23:33 +0200)

committer GitHub <noreply@github.com>

Wed, 3 Aug 2022 21:33:17 +0000 (17:33 -0400)
author Nutomic <me@nutomic.com>
Wed, 3 Aug 2022 21:33:17 +0000 (23:33 +0200)
committer GitHub <noreply@github.com>
Wed, 3 Aug 2022 21:33:17 +0000 (17:33 -0400)
diff --git a/src/server/index.tsx b/src/server/index.tsx

index 374fb03111c4b99db750d8610e74655bf32fb7e7..d508dab33f28d84c92ccb1396446e136942bd5b5 100644 (file)
--- a/src/server/index.tsx
+++ b/src/server/index.tsx
@@ -13,7 +13,7 @@ import process from "process";
  import serialize from "serialize-javascript";
  import { App } from "../shared/components/app/app";
  import { SYMBOLS } from "../shared/components/common/symbols";
-import { httpBaseInternal, wsUriBase } from "../shared/env";
+import { httpBaseInternal } from "../shared/env";
  import {
    ILemmyConfig,
    InitialFetchRequest,
@@ -29,11 +29,11 @@ const [hostname, port] = process.env["LEMMY_UI_HOST"]
  const extraThemesFolder =
    process.env["LEMMY_UI_EXTRA_THEMES_FOLDER"] || "./extra_themes";
  
-if (!process.env["LEMMY_UI_DEBUG"]) {
+if (!process.env["LEMMY_UI_DISABLE_CSP"]) {
    server.use(function (_req, res, next) {
      res.setHeader(
        "Content-Security-Policy",
-      `default-src 'none'; connect-src 'self' ${wsUriBase}; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'`
+      `default-src 'none'; connect-src *; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'`
      );
      next();
    });
author	Nutomic <me@nutomic.com>
	Wed, 3 Aug 2022 21:33:17 +0000 (23:33 +0200)
committer	GitHub <noreply@github.com>
	Wed, 3 Aug 2022 21:33:17 +0000 (17:33 -0400)