UI: set csp defaults to false and add form action from config (#1847)

AthenZ · Apr 8, 2022 · f2e1791 · f2e1791
1 parent ed42a28
commit f2e1791
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/ui/src/server/handlers/secure.js b/ui/src/server/handlers/secure.js
@@ -47,20 +47,26 @@ module.exports = function (expressApp, config, secrets) {
                 mediaSrc: [`'self'`],
                 objectSrc: [`'self'`],
                 workerSrc: [`'self'`],
+                formAction: [`'self'`],
                 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
                 // we have set all the directives which defaultSrc sets for us, and we let nextjs set up style-src for us
                 defaultSrc:
                     helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc,
             },
+            useDefaults: false,
         };
         if (config.cspImgSrc && config.cspImgSrc !== '') {
             contentSecurityPolicy.directives.imgSrc.push(config.cspImgSrc);
         }
         if (config.cspReportUri && config.cspReportUri !== '') {
             contentSecurityPolicy.directives.reportUri = config.cspReportUri;
         }
+        if (config.formAction && config.formAction !== '') {
+            contentSecurityPolicy.directives.formAction.push(config.formAction);
+        }
         helmet({
             contentSecurityPolicy: contentSecurityPolicy,
+            crossOriginEmbedderPolicy: false,
         })(req, res, next);
     });