yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-11-02 10:55:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11433 from strapi/v4/security-allow-gql-doc-playgrounds

Browse Source 
Lighten the security config for /document and /graphql playgrounds
This commit is contained in:
Alexandre BODIN 2021-11-02 15:23:30 +01:00 committed by GitHub
commit 28169ce6f9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
packages/core/strapi/lib/middlewares/security.js
View File

@ -1,6 +1,6 @@
'use strict';
const { defaultsDeep } = require('lodash/fp');
const { defaultsDeep, merge } = require('lodash/fp');
const helmet = require('koa-helmet');
const defaults = {
@ -27,4 +27,19 @@ const defaults = {
/**
* @type {import('./').MiddlewareFactory}
*/
module.exports = config => helmet(defaultsDeep(defaults, config));
module.exports = config => (ctx, next) => {
let helmetConfig = defaultsDeep(defaults, config);
if (ctx.method === 'GET' && ['/graphql', '/documentation'].includes(ctx.path)) {
helmetConfig = merge(helmetConfig, {
contentSecurityPolicy: {
directives: {
'script-src': ["'self'", "'unsafe-inline'", 'cdn.jsdelivr.net'],
'img-src': ["'self'", 'data:', 'cdn.jsdelivr.net'],
},
},
});
}
return helmet(helmetConfig)(ctx, next);
};