gaspersic/freeCodeCamp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
21fd983bb0cbfd8db27635d9caebc75e799b7524
freeCodeCamp/server/middlewares/csp.js
Berkeley Martinez af654aebdc Hot fix for chat close button
2015-10-16 20:23:24 -07:00

102 lines
2.4 KiB
JavaScript
Raw Blame History

import helmet from 'helmet';
const trusted = [
"'self'",
'blob:',
'104.236.218.15',
'*.freecodecamp.com',
'http://www.freecodecamp.com',
'http://freecodecamp.com',
'https://www.freecodecamp.com',
'https://freecodecamp.com',
'https://freecodecamp.org',
'*.freecodecamp.org',
// NOTE(berks): add the following as the blob above was not covering www
'http://www.freecodecamp.org',
'ws://freecodecamp.com/',
'ws://www.freecodecamp.com/',
'*.gstatic.com',
'*.google-analytics.com',
'*.googleapis.com',
'*.google.com',
'*.gstatic.com',
'*.doubleclick.net',
'*.twitter.com',
'*.twitch.tv',
'*.twimg.com',
"'unsafe-eval'",
"'unsafe-inline'",
'*.bootstrapcdn.com',
'*.cloudflare.com',
'https://*.cloudflare.com',
'localhost:3001',
'ws://localhost:3001/',
'http://localhost:3001',
'localhost:3000',
'ws://localhost:3000/',
'http://localhost:3000',
'*.ionicframework.com',
'https://syndication.twitter.com',
'*.youtube.com',
'*.jsdelivr.net',
'https://*.jsdelivr.net',
'*.ytimg.com',
'*.bitly.com',
'http://cdn.inspectlet.com/',
'https://cdn.inspeclet.com/',
'wss://inspectletws.herokuapp.com/',
'http://hn.inspectlet.com/',
'*.googleapis.com',
'*.gstatic.com',
'https://hn.inspectlet.com/'
];
export default function csp() {
return helmet.csp({
defaultSrc: trusted,
scriptSrc: [
'https://*.gitter.im',
'*.optimizely.com',
'*.aspnetcdn.com',
'*.d3js.org',
'https://cdn.inspectlet.com/inspectlet.js',
'http://cdn.inspectlet.com/inspectlet.js',
'http://beta.freecodecamp.com'
].concat(trusted),
'connect-src': [
'vimeo.com'
].concat(trusted),
styleSrc: [
'*.googleapis.com',
'*.gstatic.com'
].concat(trusted),
imgSrc: [
// allow all input since we have user submitted images for
// public profile
'*',
'data:'
].concat(trusted),
fontSrc: [
'*.googleapis.com',
'*.gstatic.com'
].concat(trusted),
mediaSrc: [
'*.amazonaws.com',
'*.twitter.com'
].concat(trusted),
frameSrc: [
'*.gitter.im',
'*.gitter.im https:',
'*.vimeo.com',
'*.twitter.com',
'*.ghbtns.com'
].concat(trusted),
// set to true if you only want to report errors
reportOnly: false,
// set to true if you want to set all headers
setAllHeaders: false,
// set to true if you want to force buggy CSP in Safari 5
safari5: false
});
}
Reference in New Issue View Git Blame Copy Permalink