Remove unsafe inline, add blob: to trusted sources for compatibility with webkit
This commit is contained in:
terakilobyte
27
app.js
27
app.js
@ -127,6 +127,7 @@ app.use(function(req, res, next) {
|
|||||||
|
|
||||||
var trusted = [
|
var trusted = [
|
||||||
"'self'",
|
"'self'",
|
||||||
|
'blob:',
|
||||||
'*.freecodecamp.com',
|
'*.freecodecamp.com',
|
||||||
'*.gstatic.com',
|
'*.gstatic.com',
|
||||||
'*.google-analytics.com',
|
'*.google-analytics.com',
|
||||||
@ -139,7 +140,6 @@ var trusted = [
|
|||||||
'*.twimg.com',
|
'*.twimg.com',
|
||||||
"'unsafe-eval'",
|
"'unsafe-eval'",
|
||||||
"'unsafe-inline'",
|
"'unsafe-inline'",
|
||||||
'*.rafflecopter.com',
|
|
||||||
'*.bootstrapcdn.com',
|
'*.bootstrapcdn.com',
|
||||||
'*.cloudflare.com',
|
'*.cloudflare.com',
|
||||||
'https://*.cloudflare.com',
|
'https://*.cloudflare.com',
|
||||||
@ -154,11 +154,7 @@ var trusted = [
|
|||||||
'*.youtube.com',
|
'*.youtube.com',
|
||||||
'*.jsdelivr.net',
|
'*.jsdelivr.net',
|
||||||
'https://*.jsdelivr.net',
|
'https://*.jsdelivr.net',
|
||||||
'*.togetherjs.com',
|
|
||||||
'https://*.togetherjs.com',
|
|
||||||
'wss://hub.togetherjs.com',
|
|
||||||
'*.ytimg.com',
|
'*.ytimg.com',
|
||||||
'wss://fcctogether.herokuapp.com',
|
|
||||||
'*.bitly.com',
|
'*.bitly.com',
|
||||||
'http://cdn.inspectlet.com/',
|
'http://cdn.inspectlet.com/',
|
||||||
'http://hn.inspectlet.com/'
|
'http://hn.inspectlet.com/'
|
||||||
@ -169,28 +165,14 @@ app.use(helmet.contentSecurityPolicy({
|
|||||||
scriptSrc: [
|
scriptSrc: [
|
||||||
'*.optimizely.com',
|
'*.optimizely.com',
|
||||||
'*.aspnetcdn.com',
|
'*.aspnetcdn.com',
|
||||||
'*.d3js.org',
|
'*.d3js.org'
|
||||||
"* 'unsafe-inline'"
|
|
||||||
].concat(trusted),
|
].concat(trusted),
|
||||||
'connect-src': [
|
'connect-src': [
|
||||||
'ws://*.rafflecopter.com',
|
'ws://www.freecodecamp.com'
|
||||||
'wss://*.rafflecopter.com',
|
|
||||||
'https://*.rafflecopter.com',
|
|
||||||
'ws://www.freecodecamp.com',
|
|
||||||
'http://www.freecodecamp.com'
|
|
||||||
].concat(trusted),
|
].concat(trusted),
|
||||||
styleSrc: trusted,
|
styleSrc: trusted,
|
||||||
imgSrc: [
|
imgSrc: [
|
||||||
'*.evernote.com',
|
/* allow all input since we have user submitted images for public profile*/
|
||||||
'*.amazonaws.com',
|
|
||||||
'data:',
|
|
||||||
'*.licdn.com',
|
|
||||||
'*.gravatar.com',
|
|
||||||
'*.akamaihd.net',
|
|
||||||
'graph.facebook.com',
|
|
||||||
'*.githubusercontent.com',
|
|
||||||
'*.googleusercontent.com',
|
|
||||||
/* allow all input since we have user submitted images for public profile*/
|
|
||||||
'*'
|
'*'
|
||||||
].concat(trusted),
|
].concat(trusted),
|
||||||
fontSrc: ['*.googleapis.com'].concat(trusted),
|
fontSrc: ['*.googleapis.com'].concat(trusted),
|
||||||
@ -203,7 +185,6 @@ app.use(helmet.contentSecurityPolicy({
|
|||||||
'*.gitter.im https:',
|
'*.gitter.im https:',
|
||||||
'*.vimeo.com',
|
'*.vimeo.com',
|
||||||
'*.twitter.com',
|
'*.twitter.com',
|
||||||
'*.rafflecopter.com',
|
|
||||||
'*.ghbtns.com'
|
'*.ghbtns.com'
|
||||||
].concat(trusted),
|
].concat(trusted),
|
||||||
reportOnly: false, // set to true if you only want to report errors
|
reportOnly: false, // set to true if you only want to report errors
|
||||||
|
|||||||
Reference in New Issue
Block a user