Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

Torrent Viewer CSP rule blocks <iframe> content #7366

Merged
merged 1 commit into from Mar 17, 2017
Merged

Torrent Viewer CSP rule blocks <iframe> content #7366

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
11 changes: 6 additions & 5 deletions app/extensions.js
View file
Open in desktop
Expand Up @@ -166,22 +166,23 @@ let generateTorrentManifest = () => {
let cspDirectives = {
'default-src': '\'self\'',
// TODO(bridiver) - remove example.com when webtorrent no longer requires it
// (i.e. once Brave uses webpack v2)
'connect-src': '\'self\' https://example.com',
'media-src': '\'self\' http://localhost:*',
'form-action': '\'none\'',
'referrer': 'no-referrer',
'style-src': '\'self\' \'unsafe-inline\'',
'frame-src': '\'self\''
'frame-src': '\'self\' http://localhost:*'
}

if (process.env.NODE_ENV === 'development') {
// allow access to webpack dev server resources
let devServer = 'localhost:' + process.env.npm_package_config_port
Copy link
Contributor Author

@feross feross Feb 23, 2017
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None of the changes below this line should be substantive. They just remove repetition that might accidentally allow the dev and prod versions of the CSP to diverge.

cspDirectives['default-src'] = '\'self\' http://' + devServer
cspDirectives['default-src'] += ' http://' + devServer
cspDirectives['connect-src'] += ' http://' + devServer + ' ws://' + devServer
cspDirectives['media-src'] = '\'self\' http://localhost:* http://' + devServer
cspDirectives['frame-src'] = '\'self\' http://' + devServer
cspDirectives['style-src'] = '\'self\' \'unsafe-inline\' http://' + devServer
cspDirectives['media-src'] += ' http://' + devServer
cspDirectives['frame-src'] += ' http://' + devServer
cspDirectives['style-src'] += ' http://' + devServer
}

return {
Expand Down