From 3b5657650b754780ed100f460370056033668751 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Fri, 10 Jan 2020 17:04:26 -0800 Subject: [PATCH] Added HTTP CSP headers. --- package.json | 2 +- webserver.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index d77bcf02..23af4ee7 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "meshcentral", - "version": "0.4.7-h", + "version": "0.4.7-i", "keywords": [ "Remote Management", "Intel AMT", diff --git a/webserver.js b/webserver.js index df6d5b1a..ae303acf 100644 --- a/webserver.js +++ b/webserver.js @@ -3410,7 +3410,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { 'Referrer-Policy': 'no-referrer', 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', - 'Content-Security-Policy': "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'" + geourl + selfurl + "; img-src 'self'" + geourl + " data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'" + 'Content-Security-Policy': "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'" + geourl + selfurl + "; img-src 'self'" + geourl + " data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'; base-url: 'none'; form-action 'self'" }; if ((parent.config.settings.allowframing !== true) && (typeof parent.config.settings.allowframing !== 'string')) { headers['X-Frame-Options'] = 'sameorigin'; } res.set(headers);