David Mehren 9499add64c

Tighten up default Content-Security-Policy ...

This commit changes the
- default-src to none, so everything is disallowed by default
- base-uri, connect-uri and font-src to self,
  so these are restricted to the current origin
- frame-src to allow SlideShare, Vimeo and YouTube
- script-src to the specific paths that are used by HedgeDoc to serve scripts.
  This explicitly does not include the /uploads route
 - style-src to the specific paths that are used by HedgeDoc to serve styles
 -

Signed-off-by: David Mehren <git@herrmehren.de>

2021-08-15 00:22:30 +02:00

..

config

Fix unescaped line break in git output

2021-08-15 00:16:46 +02:00

migrations

Add missing catch

2020-12-02 19:39:06 +01:00

models

Add help link and short explanation for failing migrations

2021-07-21 00:06:07 +02:00

ot

Fix logging in ot module

2018-11-13 23:30:13 +01:00

web

fix(image-upload): Fix swallowing of errors for filesystem

2021-08-14 20:04:08 +02:00

workers

Linter: Fix all lint errors

2021-02-15 12:15:14 +01:00

csp.js

Tighten up default Content-Security-Policy

2021-08-15 00:22:30 +02:00

errors.js

Check for existing notes on POST and dont override them

2021-03-29 23:00:34 +02:00

history.js

Linter: Fix all lint errors

2021-02-15 12:15:14 +01:00

letter-avatars.js

Linter: Fix all lint errors

2021-02-15 12:15:14 +01:00

logger.js

Fix eslint warnings

2019-05-31 00:30:29 +02:00

prometheus.js

Add custom prometheus metrics

2021-04-25 20:06:56 +02:00

realtime.js

Linter: Fix all lint errors

2021-02-15 12:15:14 +01:00

response.js

Replace request library with node-fetch

2021-03-12 22:27:49 +01:00

utils.js

Exclude /metrics and /status routes from session initialization

2021-07-20 23:56:54 +02:00