Merge pull request #73 from MisskeyIO/csp-send-nonce

Improve CSP
This commit is contained in:
和風ドレッシング 2023-03-19 02:54:05 +09:00 committed by GitHub
commit 179d38818d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 3 deletions

View file

@ -0,0 +1,9 @@
import FastifyReply from "fastify";
declare module 'fastify' {
interface FastifyReply {
cspNonce: {
script: string
}
}
}

View file

@ -1,5 +1,6 @@
import { dirname } from 'node:path'; import { dirname } from 'node:path';
import { fileURLToPath } from 'node:url'; import { fileURLToPath } from 'node:url';
import { randomBytes } from 'node:crypto';
import { Inject, Injectable } from '@nestjs/common'; import { Inject, Injectable } from '@nestjs/common';
import { createBullBoard } from '@bull-board/api'; import { createBullBoard } from '@bull-board/api';
import { BullAdapter } from '@bull-board/api/bullAdapter.js'; import { BullAdapter } from '@bull-board/api/bullAdapter.js';
@ -174,12 +175,17 @@ export class ClientServerService {
reply.header('X-Frame-Options', 'DENY'); reply.header('X-Frame-Options', 'DENY');
// XSSが存在した場合に影響を軽減する // XSSが存在した場合に影響を軽減する
// (script-srcにunsafe-inline等を追加すると意味が無くなるので注意) // (インラインスクリプトはreply.cspNonce内の値をnonce属性に設定することで使える)
const scriptNonce = randomBytes(16).toString('hex');
reply.cspNonce = {
script: scriptNonce,
};
const csp = this.config.contentSecurityPolicy const csp = this.config.contentSecurityPolicy
?? 'script-src \'self\' ' + ?? 'script-src \'self\' ' +
'https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; ' + 'https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/ {scriptNonce}; ' +
'worker-src blob: \'self\'; ' +
'base-uri \'self\'; object-src \'self\'; report-uri /csp-error'; 'base-uri \'self\'; object-src \'self\'; report-uri /csp-error';
reply.header('Content-Security-Policy-Report-Only', csp); reply.header('Content-Security-Policy-Report-Only', csp.replace('{scriptNonce}', `'nonce-${scriptNonce}'`));
done(); done();
}); });