couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kxe...@apache.org
Subject [1/4] fauxton commit: updated refs/heads/import-master to 9bc7c98
Date Tue, 17 Jun 2014 21:25:57 GMT
Repository: couchdb-fauxton
Updated Branches:
  refs/heads/import-master 8cb432c5f -> 9bc7c98e2


Add Experimental Content-Security-Policy-Support (CSP) for Fauxton

Like every web application, Fauxton is vulnerable against XSS and
CSP is a technology that tries to help against that.

The patch makes it possible to enable CSP for the /_utils path and
allows configuration of the sent header.

The default setting for the value of the header breaks the old
Futon, when CSP is enabled there. The old Futon has alot of
inline-JavaScript which is not allowed in the setting I have
chosen as default.

For development, the header is also sent from the Node server
which launches Fauxton in dev-mode.

People can enable the feature by setting enable = true in the
section [csp] of their configs


Project: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/commit/7b82f198
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/tree/7b82f198
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/diff/7b82f198

Branch: refs/heads/import-master
Commit: 7b82f1986dee4c4cfb16b1687f62aa080ad20fe9
Parents: 8cb432c
Author: Robert Kowalski <rok@kowalski.gd>
Authored: Sat May 17 18:37:30 2014 +0200
Committer: Robert Kowalski <rok@kowalski.gd>
Committed: Mon Jun 9 19:09:06 2014 +0200

----------------------------------------------------------------------
 tasks/couchserver.js | 4 ++++
 1 file changed, 4 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/blob/7b82f198/tasks/couchserver.js
----------------------------------------------------------------------
diff --git a/tasks/couchserver.js b/tasks/couchserver.js
index 67b0ae0..3a17ab6 100644
--- a/tasks/couchserver.js
+++ b/tasks/couchserver.js
@@ -47,6 +47,10 @@ module.exports = function (grunt) {
           accept = req.headers.accept.split(','),
           filePath;
 
+      var headerValue = "default-src 'self'; img-src 'self'; font-src 'self'; " +
+                        "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";
+      res.setHeader('Content-Security-Policy', headerValue);
+
       if (!!url.match(/^\/addons\/.*\/assets\/js/)) {
         filePath = path.join(app_dir, url.replace('/_utils/fauxton/',''));
       } else if (!!url.match(/assets/)) {


Mime
View raw message