From 12cdd1e76b80be18efbe550b5ffa51dd1ff1fd57 Mon Sep 17 00:00:00 2001 From: Caleb James DeLisle Date: Thu, 6 Oct 2016 22:37:25 +0200 Subject: [PATCH 1/3] Add a Content Security Policy which works for CryptPad --- server.js | 38 ++++++++++++++++++++++++++++++++------ 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/server.js b/server.js index c490698b3..d3aaa5630 100644 --- a/server.js +++ b/server.js @@ -10,12 +10,38 @@ var NetfluxSrv = require('./NetfluxWebsocketSrv'); var WebRTCSrv = require('./WebRTCSrv'); var config = require('./config'); -config.websocketPort = config.websocketPort || config.httpPort; +var websocketPort = config.websocketPort || config.httpPort; // support multiple storage back ends -var Storage = require(config.storage||'./storage/mongo'); +var Storage = require(config.storage||'./storage/file'); var app = Express(); + +app.use(function (req, res, next) { + var host = req.headers.host; + if (config.websocketPort) { + host = host.replace(/\:[0-9]+/, ':' + config.websocketPort); + } + var proto = httpsOpts ? 'wss://' : 'ws://' + res.setHeader('Content-Security-Policy', [ + "default-src 'none'", + "style-src 'unsafe-inline' 'self'", + + // No way to load ckeditor without unsafe-eval and unsafe-inline + // https://dev.ckeditor.com/ticket/8584 + "script-src 'self' 'unsafe-eval' 'unsafe-inline'", + + "connect-src 'self' " + proto + host, + "child-src 'self'", + "font-src 'self'", + + // data: is used by codemirror, (insecure remote) images are included by people making + // documents in ckeditor. + "img-src data: *" + ].join('; ')); + next(); +}); + app.use(Express.static(__dirname + '/www')); Fs.exists(__dirname + "/customize", function (e) { @@ -57,9 +83,9 @@ app.get('/api/config', function(req, res){ res.setHeader('Content-Type', 'text/javascript'); res.send('define(' + JSON.stringify({ websocketURL:'ws' + ((httpsOpts) ? 's' : '') + '://' + host + ':' + - config.websocketPort + '/cryptpad_websocket', + websocketPort + '/cryptpad_websocket', webrtcURL:'ws' + ((httpsOpts) ? 's' : '') + '://' + host + ':' + - config.websocketPort + '/cryptpad_webrtc', + websocketPort + '/cryptpad_webrtc', }) + ');'); }); @@ -70,9 +96,9 @@ httpServer.listen(config.httpPort,config.httpAddress,function(){ }); var wsConfig = { server: httpServer }; -if (config.websocketPort !== config.httpPort) { +if (websocketPort !== config.httpPort) { console.log("setting up a new websocket server"); - wsConfig = { port: config.websocketPort}; + wsConfig = { port: websocketPort}; } var wsSrv = new WebSocketServer(wsConfig); Storage.create(config, function (store) { From 83c3f6310aeeb6b3c7a8c23392d78ca345be9b34 Mon Sep 17 00:00:00 2001 From: Caleb James DeLisle Date: Thu, 6 Oct 2016 22:44:58 +0200 Subject: [PATCH 2/3] Don't make the codestyle any worse than it is --- server.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/server.js b/server.js index d3aaa5630..dc0077a35 100644 --- a/server.js +++ b/server.js @@ -17,12 +17,14 @@ var Storage = require(config.storage||'./storage/file'); var app = Express(); +var httpsOpts; + app.use(function (req, res, next) { var host = req.headers.host; if (config.websocketPort) { host = host.replace(/\:[0-9]+/, ':' + config.websocketPort); } - var proto = httpsOpts ? 'wss://' : 'ws://' + var proto = httpsOpts ? 'wss://' : 'ws://'; res.setHeader('Content-Security-Policy', [ "default-src 'none'", "style-src 'unsafe-inline' 'self'", @@ -54,7 +56,6 @@ app.use("/customize", Express.static(__dirname + '/customize.dist')); app.use(/^\/[^\/]*$/, Express.static('customize')); app.use(/^\/[^\/]*$/, Express.static('customize.dist')); -var httpsOpts; if (config.privKeyAndCertFiles) { var privKeyAndCerts = ''; config.privKeyAndCertFiles.forEach(function (file) { From 72fc2e70685c4dcaa91437d7d80f0f2efdd67723 Mon Sep 17 00:00:00 2001 From: Caleb James DeLisle Date: Thu, 6 Oct 2016 23:02:30 +0200 Subject: [PATCH 3/3] Chuck a few more super-duper-security headers in there --- server.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/server.js b/server.js index 26e9d98ec..b6dc9d9dd 100644 --- a/server.js +++ b/server.js @@ -41,6 +41,11 @@ app.use(function (req, res, next) { // documents in ckeditor. "img-src data: *" ].join('; ')); + + res.setHeader('X-XSS-Protection', '1; mode=block'); + res.setHeader('X-Content-Type-Options', 'nosniff'); + res.setHeader('X-Frame-Options', 'SAMEORIGIN'); + next(); });