fix: beef up CSP headers (#1759)

* fix: beef up CSP headers

* add base-uri self

* fix connect-src for tesseract

* more csp fixes
This commit is contained in:
Nolan Lawson 2020-05-02 18:09:07 -07:00 committed by GitHub
parent 00b9b1c216
commit 6447326f5c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -55,16 +55,33 @@ const JSON_TEMPLATE = {
] ]
} }
const SCRIPT_CHECKSUMS = [inlineScriptChecksum]
.concat(sapperInlineScriptChecksums)
.map(_ => `'sha256-${_}'`)
.join(' ')
const HTML_HEADERS = { const HTML_HEADERS = {
'cache-control': 'public,max-age=3600', 'cache-control': 'public,max-age=3600',
'content-security-policy': 'script-src \'self\' ' + 'content-security-policy': [
`${[inlineScriptChecksum].concat(sapperInlineScriptChecksums).map(_ => `'sha256-${_}'`).join(' ')}; ` + "default-src 'self'",
'worker-src \'self\'; style-src \'self\' \'unsafe-inline\'; frame-src \'none\'; object-src \'none\'; manifest-src \'self\'', `script-src 'self' ${SCRIPT_CHECKSUMS}`,
"worker-src 'self'",
"style-src 'self' 'unsafe-inline'",
"img-src 'self' * data: blob:",
"media-src 'self' *",
"connect-src 'self' * data: blob:",
"frame-src 'none'",
"frame-ancestors 'none'",
"object-src 'none'",
"manifest-src 'self'",
"form-action 'none'",
"base-uri 'self'"
].join(';'),
'referrer-policy': 'no-referrer', 'referrer-policy': 'no-referrer',
'strict-transport-security': 'max-age=15552000; includeSubDomains', 'strict-transport-security': 'max-age=15552000; includeSubDomains',
'x-content-type-options': 'nosniff', 'x-content-type-options': 'nosniff',
'x-download-options': 'noopen', 'x-download-options': 'noopen',
'x-frame-options': 'SAMEORIGIN', 'x-frame-options': 'DENY',
'x-xss-protection': '1; mode=block' 'x-xss-protection': '1; mode=block'
} }