2022-10-19 11:07:39 -06:00
|
|
|
'use strict';
|
|
|
|
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const assert = require('assert');
|
|
|
|
|
|
|
|
const config = require('../lib/config');
|
|
|
|
const matrixServerUrl = config.get('matrixServerUrl');
|
|
|
|
assert(matrixServerUrl);
|
|
|
|
|
|
|
|
function contentSecurityPolicyMiddleware(req, res, next) {
|
2023-04-19 12:48:12 -06:00
|
|
|
const cspNonce = crypto.randomBytes(16).toString('hex');
|
2022-10-19 11:07:39 -06:00
|
|
|
|
|
|
|
// Based on https://web.dev/strict-csp/
|
|
|
|
const directives = [
|
|
|
|
// Default to fully-restrictive and only allow what's needed below
|
|
|
|
`default-src 'none';`,
|
|
|
|
// Only <script> and <style> tags that have the nonce provided
|
|
|
|
//
|
|
|
|
// To ensure compatibility with very old browser versions (4+ years), we add
|
|
|
|
// 'unsafe-inline' as a fallback. All recent browsers will ignore 'unsafe-inline' if
|
|
|
|
// a CSP nonce or hash is present. (via
|
|
|
|
// https://web.dev/strict-csp/#step-4-add-fallbacks-to-support-safari-and-older-browsers)
|
2023-04-19 12:48:12 -06:00
|
|
|
`script-src 'nonce-${cspNonce}' 'strict-dynamic' https: 'unsafe-inline';`,
|
2022-10-19 11:07:39 -06:00
|
|
|
// Hydrogen uses a bunch of inline styles and `style-src-attr` isn't well supported
|
|
|
|
// in Firefox to allow it specifically. In the future, when it has better support we
|
|
|
|
// should switch to a strict nonce based style directive.
|
|
|
|
`style-src 'self' 'unsafe-inline';`,
|
|
|
|
// We only need to load fonts from ourself
|
|
|
|
`font-src 'self';`,
|
|
|
|
// We only need to be able to load images/media from ourself and the homeserver media repo
|
|
|
|
`img-src 'self' ${matrixServerUrl};`,
|
|
|
|
`media-src 'self' ${matrixServerUrl};`,
|
|
|
|
// Only allow the room directory search form to submit to ourself
|
|
|
|
`form-action 'self';`,
|
|
|
|
// We have no need ourself to embed in an iframe. And we shouldn't allow others to
|
|
|
|
// iframe embed which can lead to clickjacking. We also have the
|
|
|
|
// `prevent-clickjacking-middleware` to cover this.
|
|
|
|
`frame-ancestors 'none';`,
|
|
|
|
// Extra restriction since we have no plans to change the `<base>`
|
|
|
|
`base-uri 'self'`,
|
|
|
|
];
|
|
|
|
|
|
|
|
res.set('Content-Security-Policy', directives.join(' '));
|
|
|
|
|
|
|
|
// Make this available for down-stream routes to reference and use
|
2023-04-19 12:48:12 -06:00
|
|
|
res.locals.cspNonce = cspNonce;
|
2022-10-19 11:07:39 -06:00
|
|
|
|
|
|
|
next();
|
|
|
|
}
|
|
|
|
|
|
|
|
module.exports = contentSecurityPolicyMiddleware;
|