Skip to content

Commit

Permalink
Change CSP rule for connect-src (websocket) to wildcard (fixes #730) (#…
Browse files Browse the repository at this point in the history 
…737)
  • Loading branch information
@Nutomic @dessalines
Nutomic authored and dessalines committed Aug 4, 2022
1 parent bc47c04 commit 6dee99e
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions src/server/index.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ import process from "process";
import serialize from "serialize-javascript";
import { App } from "../shared/components/app/app";
import { SYMBOLS } from "../shared/components/common/symbols";
import { httpBaseInternal, wsUriBase } from "../shared/env";
import { httpBaseInternal } from "../shared/env";
import {
ILemmyConfig,
InitialFetchRequest,
Expand All @@ -27,11 +27,11 @@ const [hostname, port] = process.env["LEMMY_UI_HOST"]
const extraThemesFolder =
process.env["LEMMY_UI_EXTRA_THEMES_FOLDER"] || "./extra_themes";

if (!process.env["LEMMY_UI_DEBUG"]) {
if (!process.env["LEMMY_UI_DISABLE_CSP"]) {
server.use(function (_req, res, next) {
res.setHeader(
"Content-Security-Policy",
`default-src 'none'; connect-src 'self' ${wsUriBase}; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'`
`default-src 'none'; connect-src *; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'`
);
next();
});
Expand Down

0 comments on commit 6dee99e

Please sign in to comment.