From 4e345e0d12dec5d4914d2fa86cd2a2242cf8f569 Mon Sep 17 00:00:00 2001 From: greenkeeperio-bot Date: Tue, 12 Jan 2016 21:45:15 -0800 Subject: [PATCH] chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ --- package.json | 4 +- server/middlewares/csp.js | 114 +++++++++++++++++++------------------- 2 files changed, 60 insertions(+), 58 deletions(-) diff --git a/package.json b/package.json index 28aacc94709..48a3612fa58 100644 --- a/package.json +++ b/package.json @@ -79,8 +79,8 @@ "gulp-uglify": "^1.5.1", "gulp-util": "^3.0.6", "gulp-webpack": "^1.5.0", - "helmet": "~0.15.0", - "helmet-csp": "~0.3.0", + "helmet": "^1.1.0", + "helmet-csp": "^1.0.3", "history": "^1.17.0", "jade": "^1.11.0", "json-loader": "~0.5.2", diff --git a/server/middlewares/csp.js b/server/middlewares/csp.js index 2aaac24d18d..2a85ff6fa10 100644 --- a/server/middlewares/csp.js +++ b/server/middlewares/csp.js @@ -10,62 +10,64 @@ if (process.env.NODE_ENV !== 'production') { export default function csp() { return helmet.csp({ - defaultSrc: trusted, - scriptSrc: [ - "'unsafe-eval'", - "'unsafe-inline'", - '*.google-analytics.com', - '*.gstatic.com', - 'https://*.cloudflare.com', - '*.cloudflare.com', - 'https://*.gitter.im', - 'https://*.cdnjs.com', - '*.cdnjs.com', - 'https://*.jsdelivr.com', - '*.jsdelivr.com', - '*.twimg.com', - 'https://*.twimg.com', - 'vimeo.com' - ].concat(trusted), - connectSrc: [ - 'vimeo.com' - ].concat(trusted), - styleSrc: [ - "'unsafe-inline'", - '*.gstatic.com', - '*.googleapis.com', - '*.bootstrapcdn.com', - 'https://*.bootstrapcdn.com', - '*.cloudflare.com', - 'https://*.cloudflare.com' - ].concat(trusted), - fontSrc: [ - '*.cloudflare.com', - 'https://*.cloudflare.com', - '*.bootstrapcdn.com', - '*.googleapis.com', - '*.gstatic.com', - 'https://*.bootstrapcdn.com' - ].concat(trusted), - imgSrc: [ - // allow all input since we have user submitted images for - // public profile - '*', - 'data:' - ], - mediaSrc: [ - '*.bitly.com', - '*.amazonaws.com', - '*.twitter.com' - ].concat(trusted), - frameSrc: [ - '*.gitter.im', - '*.gitter.im https:', - '*.vimeo.com', - '*.twitter.com', - '*.ghbtns.com', - '*.freecatphotoapp.com' - ].concat(trusted), + directives: { + defaultSrc: trusted, + scriptSrc: [ + "'unsafe-eval'", + "'unsafe-inline'", + '*.google-analytics.com', + '*.gstatic.com', + 'https://*.cloudflare.com', + '*.cloudflare.com', + 'https://*.gitter.im', + 'https://*.cdnjs.com', + '*.cdnjs.com', + 'https://*.jsdelivr.com', + '*.jsdelivr.com', + '*.twimg.com', + 'https://*.twimg.com', + 'vimeo.com' + ].concat(trusted), + connectSrc: [ + 'vimeo.com' + ].concat(trusted), + styleSrc: [ + "'unsafe-inline'", + '*.gstatic.com', + '*.googleapis.com', + '*.bootstrapcdn.com', + 'https://*.bootstrapcdn.com', + '*.cloudflare.com', + 'https://*.cloudflare.com' + ].concat(trusted), + fontSrc: [ + '*.cloudflare.com', + 'https://*.cloudflare.com', + '*.bootstrapcdn.com', + '*.googleapis.com', + '*.gstatic.com', + 'https://*.bootstrapcdn.com' + ].concat(trusted), + imgSrc: [ + // allow all input since we have user submitted images for + // public profile + '*', + 'data:' + ], + mediaSrc: [ + '*.bitly.com', + '*.amazonaws.com', + '*.twitter.com' + ].concat(trusted), + frameSrc: [ + '*.gitter.im', + '*.gitter.im https:', + '*.vimeo.com', + '*.twitter.com', + '*.ghbtns.com', + '*.freecatphotoapp.com' + ].concat(trusted) + }, // set to true if you only want to report errors reportOnly: false, // set to true if you want to set all headers