Skip to content
This repository has been archived by the owner on Jan 5, 2019. It is now read-only.

Commit

Permalink
set a custom CSP
Browse files Browse the repository at this point in the history
  • Loading branch information
@djmitche
djmitche committed Dec 6, 2017
1 parent 89c3f8c commit a329860
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 2 deletions.
1 change: 1 addition & 0 deletions package.json
View file
Expand Up @@ -19,6 +19,7 @@
"body-parser": "^1.18.2",
"browserid-verify": "^0.1.2",
"connect-flash": "^0.1.1",
"content-security-policy": "^0.3.2",
"cookie-session": "^2.0.0-beta.3",
"debug": "^3.1.0",
"eslint-config-taskcluster": "^3.0.0",
Expand Down
14 changes: 13 additions & 1 deletion src/server.js
View file
Expand Up @@ -20,6 +20,7 @@ const tcApp = require('taskcluster-lib-app');
const validator = require('taskcluster-lib-validate');
const monitor = require('taskcluster-lib-monitor');
const docs = require('taskcluster-lib-docs');
const csp = require('content-security-policy');

let load = loader({
cfg: {
Expand Down Expand Up @@ -132,7 +133,7 @@ let load = loader({
requires: ['cfg', 'authenticators', 'router'],
setup: ({cfg, authenticators, router}) => {
// Create application
let app = tcApp(cfg.server);
let app = tcApp(_.defaults({}, cfg.server, {contentSecurityPolic: false}));

// setup 'trust proxy', which tc-lib-app does not do
app.set('trust proxy', cfg.server.trustProxy);
Expand All @@ -145,6 +146,17 @@ let load = loader({
app.set('views', path.join(__dirname, '..', 'views'));
app.set('view engine', 'jade');

// build a CSP that's appropriate to this app..
app.use(csp.getCSP({
'default-src': csp.SRC_NONE,
'frame-ancestors': csp.SRC_NONE,
'base-uri': csp.SRC_NONE,
'report-uri': '/__cspreport__',
'font-src': csp.SRC_SELF,
'script-src': [csp.SRC_SELF, '\'unsafe-inline\''],
'style-src': [csp.SRC_SELF, '\'unsafe-inline\''],
}));

// Parse request bodies
app.use(bodyParser.urlencoded({extended: false}));

Expand Down
2 changes: 1 addition & 1 deletion yarn.lock
View file
Expand Up @@ -635,7 +635,7 @@ content-disposition@0.5.2:
version "0.5.2"
resolved "https://registry.yarnpkg.com/content-disposition/-/content-disposition-0.5.2.tgz#0cf68bb9ddf5f2be7961c3a85178cb85dba78cb4"

content-security-policy@^0.3.0:
content-security-policy@^0.3.0, content-security-policy@^0.3.2:
version "0.3.2"
resolved "https://registry.yarnpkg.com/content-security-policy/-/content-security-policy-0.3.2.tgz#bfe2238c23b231fdc04d684dbccc363df68860c1"

Expand Down

0 comments on commit a329860

Please sign in to comment.