From 9234bce75de6fac604ac6a5d90dba560ef0d5ac4 Mon Sep 17 00:00:00 2001 From: Danny Coates Date: Wed, 12 Jul 2017 10:56:04 -0700 Subject: [PATCH] added csp directives --- frontend/src/download.js | 7 +++---- frontend/src/upload.js | 12 +++++++----- server/server.js | 24 ++++++++++++++++++++++++ views/download.handlebars | 2 +- views/index.handlebars | 4 ++-- 5 files changed, 37 insertions(+), 12 deletions(-) diff --git a/frontend/src/download.js b/frontend/src/download.js index 0bc34a04..f16adf40 100644 --- a/frontend/src/download.js +++ b/frontend/src/download.js @@ -9,7 +9,8 @@ $(document).ready(function() { $('#send-file').click(() => { window.location.replace(`${window.location.origin}`); }); - const download = () => { + $('#download-btn').click(download); + function download() { const fileReceiver = new FileReceiver(); const name = document.createElement('p'); const $btn = $('#download-btn'); @@ -84,7 +85,5 @@ $(document).ready(function() { Raven.captureException(err); return Promise.reject(err); }); - }; - - window.download = download; + } }); diff --git a/frontend/src/upload.js b/frontend/src/upload.js index 08adb6e0..69935376 100644 --- a/frontend/src/upload.js +++ b/frontend/src/upload.js @@ -10,6 +10,8 @@ $(document).ready(function() { $('#compliance-error').show(); }); + $('#file-upload').change(onUpload); + $('#page-one').on('dragover', allowDrop).on('drop', onUpload); // reset copy button const $copyBtn = $('#copy-btn'); $copyBtn.attr('disabled', false); @@ -61,11 +63,11 @@ $(document).ready(function() { }); // on file upload by browse or drag & drop - window.onUpload = event => { + function onUpload(event) { event.preventDefault(); let file = ''; if (event.type === 'drop') { - file = event.dataTransfer.files[0]; + file = event.originalEvent.dataTransfer.files[0]; } else { file = event.target.files[0]; } @@ -143,11 +145,11 @@ $(document).ready(function() { $('#page-one').hide(); $('#upload-error').show(); }); - }; + } - window.allowDrop = function(ev) { + function allowDrop(ev) { ev.preventDefault(); - }; + } function checkExistence(id, populate) { const xhr = new XMLHttpRequest(); diff --git a/server/server.js b/server/server.js index 4f80c4ee..e3c838a0 100644 --- a/server/server.js +++ b/server/server.js @@ -32,6 +32,30 @@ app.engine( app.set('view engine', 'handlebars'); app.use(helmet()); +app.use( + helmet.contentSecurityPolicy({ + directives: { + defaultSrc: ['\'self\''], + connectSrc: [ + '\'self\'', + 'https://sentry.prod.mozaws.net', + 'https://www.google-analytics.com', + 'https://ssl.google-analytics.com' + ], + imgSrc: [ + '\'self\'', + 'https://www.google-analytics.com', + 'https://ssl.google-analytics.com' + ], + scriptSrc: ['\'self\'', 'https://ssl.google-analytics.com'], + styleSrc: ['\'self\'', 'https://code.cdn.mozilla.net'], + fontSrc: ['\'self\'', 'https://code.cdn.mozilla.net'], + formAction: ['\'none\''], + frameAncestors: ['\'none\''], + objectSrc: ['\'none\''] + } + }) +); app.use(busboy()); app.use(bodyParser.json()); app.use(express.static(STATIC_PATH)); diff --git a/views/download.handlebars b/views/download.handlebars index ba6cf5c5..50cc365a 100644 --- a/views/download.handlebars +++ b/views/download.handlebars @@ -23,7 +23,7 @@
- +
diff --git a/views/index.handlebars b/views/index.handlebars index 8be8f2d5..b34a9e80 100644 --- a/views/index.handlebars +++ b/views/index.handlebars @@ -19,7 +19,7 @@
Share your files quickly, privately and securely.
-
+
Upload
DRAG & DROP @@ -31,7 +31,7 @@
- +