Added HTTP CSP headers.

This commit is contained in:
Ylian Saint-Hilaire 2020-01-10 17:04:26 -08:00
parent 9974c3d958
commit 3b5657650b
2 changed files with 2 additions and 2 deletions

View File

@ -1,6 +1,6 @@
{
"name": "meshcentral",
"version": "0.4.7-h",
"version": "0.4.7-i",
"keywords": [
"Remote Management",
"Intel AMT",

View File

@ -3410,7 +3410,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
'Referrer-Policy': 'no-referrer',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'Content-Security-Policy': "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'" + geourl + selfurl + "; img-src 'self'" + geourl + " data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"
'Content-Security-Policy': "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'" + geourl + selfurl + "; img-src 'self'" + geourl + " data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'; base-url: 'none'; form-action 'self'"
};
if ((parent.config.settings.allowframing !== true) && (typeof parent.config.settings.allowframing !== 'string')) { headers['X-Frame-Options'] = 'sameorigin'; }
res.set(headers);