Add CSP for worker-src (#6059) (#6064)

* Specify worker-src seperately, add blob:

* Upgrade react-qr-scan to latest version
This commit is contained in:
Jaco Greeff 2017-07-15 12:59:49 +02:00 committed by Arkadiy Paronyan
parent 1f4d6fced3
commit c4a58efed4
2 changed files with 4 additions and 2 deletions

View File

@ -68,6 +68,9 @@ pub fn add_security_headers(headers: &mut header::Headers, embeddable_on: Embedd
b"font-src 'self' data: https:;".to_vec(), b"font-src 'self' data: https:;".to_vec(),
// Allow inline scripts and scripts eval (webpack/jsconsole) // Allow inline scripts and scripts eval (webpack/jsconsole)
b"script-src 'self' 'unsafe-inline' 'unsafe-eval';".to_vec(), b"script-src 'self' 'unsafe-inline' 'unsafe-eval';".to_vec(),
// Same restrictions as script-src (fallback) with additional
// blob: that is required for camera access (worker)
b"worker-src 'self' 'unsafe-inline' 'unsafe-eval' blob: ;".to_vec(),
// Restrict everything else to the same origin. // Restrict everything else to the same origin.
b"default-src 'self';".to_vec(), b"default-src 'self';".to_vec(),
// Run in sandbox mode (although it's not fully safe since we allow same-origin and script) // Run in sandbox mode (although it's not fully safe since we allow same-origin and script)
@ -140,4 +143,3 @@ pub fn convert_uri_to_url(uri: &uri::RequestUri, host: Option<&header::Host>) ->
_ => None, _ => None,
} }
} }

View File

@ -209,7 +209,7 @@
"react-intl": "2.1.5", "react-intl": "2.1.5",
"react-markdown": "2.4.4", "react-markdown": "2.4.4",
"react-portal": "3.0.0", "react-portal": "3.0.0",
"react-qr-reader": "1.0.3", "react-qr-reader": "1.1.3",
"react-redux": "4.4.6", "react-redux": "4.4.6",
"react-router": "3.0.0", "react-router": "3.0.0",
"react-router-redux": "4.0.7", "react-router-redux": "4.0.7",