From d0825b6857ee58332c6f3269fe2c63e3bfac8627 Mon Sep 17 00:00:00 2001 From: Dessalines Date: Fri, 8 Apr 2022 13:51:56 +0000 Subject: [PATCH] Revert "Set content security policy http header for all responses (#608)" This reverts commit f1c5c60c76e2ac4c3b4d812f86c15c5bac847816. --- src/server/index.tsx | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/server/index.tsx b/src/server/index.tsx index 1bf37598..7b837605 100644 --- a/src/server/index.tsx +++ b/src/server/index.tsx @@ -27,13 +27,6 @@ const [hostname, port] = process.env["LEMMY_UI_HOST"] const extraThemesFolder = process.env["LEMMY_UI_EXTRA_THEMES_FOLDER"] || "./extra_themes"; -server.use(function (_req, res, next) { - res.setHeader( - "Content-Security-Policy", - "default-src data: 'self'; connect-src * ws: wss:; frame-src *; img-src * data:; script-src 'self'; style-src 'self' 'unsafe-inline'; manifest-src 'self'" - ); - next(); -}); server.use(express.json()); server.use(express.urlencoded({ extended: false })); server.use("/static", express.static(path.resolve("./dist"))); @@ -171,8 +164,18 @@ server.get("/*", async (req, res) => { return res.redirect(context.url); } + const cspHtml = ( + + ); + const root = renderToString(wrapper); const symbols = renderToString(SYMBOLS); + const cspStr = process.env.LEMMY_EXTERNAL_HOST + ? renderToString(cspHtml) + : ""; const helmet = Helmet.renderStatic(); const config: ILemmyConfig = { wsHost: process.env.LEMMY_WS_HOST }; @@ -197,6 +200,9 @@ server.get("/*", async (req, res) => { + + ${cspStr} +