Inline scripts CSP for login (#1871)

* Protect the login page a little bit more

Post #944 #1867

Auto-merge

Author: Martii

controllers/index.js

@@ -11,6 +11,7 @@ var isDbg = require('../libs/debug').isDbg;
 var async = require('async');
 var _ = require('underscore');
 var url = require('url');
+var crypto = require('crypto');
 
 //--- Model inclusions
 var Discussion = require('../models/discussion').Discussion;
@@ -261,6 +262,11 @@ exports.register = function (aReq, aRes) {
   //
 
   Strategy.find({}, function (aErr, aAvailableStrategies) {
+    var SECRET = process.env.HCAPTCHA_SECRET_KEY;
+    var SITEKEY = process.env.HCAPTCHA_SITE_KEY;
+    var defaultCSP = ' \'self\'';
+    var captchaCSP = (SECRET ? ' hcaptcha.com *.hcaptcha.com' : '');
+
     if (aErr || !aAvailableStrategies) {
       statusCodePage(aReq, aRes, aNext, {
         statusCode: 503,
@@ -277,6 +283,11 @@ exports.register = function (aReq, aRes) {
         });
       });
 
+      options.hasCaptcha = (SECRET ? true : false);
+
+      options.nonce = crypto.randomBytes(512).toString('hex');
+      defaultCSP += ' \'nonce-' + options.nonce + '\'';
+
       // Insert an empty default strategy at the beginning
       // NOTE: Safari always autoselects an option when disabled
       options.strategies.unshift({'strat': '', 'display': '(default preferred authentication)'});
@@ -286,10 +297,21 @@ exports.register = function (aReq, aRes) {
         return aStrategy.display;
       });
 
+
       aRes.header('Cache-Control', 'no-cache, no-store, must-revalidate');
       aRes.header('Pragma', 'no-cache');
       aRes.header('Expires', '0');
 
+      //
+      aRes.header('Content-Security-Policy',
+        'default-src' + defaultCSP +
+        '; connect-src' + defaultCSP + captchaCSP +
+        '; frame-src'   + defaultCSP + captchaCSP +
+        '; style-src'   + defaultCSP + captchaCSP +
+        '; script-src'  + defaultCSP + captchaCSP +
+        ''
+      );
+
       aRes.render('pages/loginPage', options);
     }
   });

views/includes/scripts/formControlClear.html

@@ -1,4 +1,4 @@
-<script type="text/javascript">
+<script type="text/javascript"{{#nonce}} nonce="{{nonce}}"{{/nonce}}>
   (function () {
     'use strict';
 

views/includes/scripts/googleAnalytics.html

@@ -1,4 +1,4 @@
-<script type="text/javascript">
+<script type="text/javascript"{{#nonce}} nonce="{{nonce}}"{{/nonce}}>>
   (function () {
 
     if (!{{DNT}}) {

views/includes/scripts/hideReminders.html

@@ -1,4 +1,4 @@
-<script type="text/javascript">
+<script type="text/javascript"{{#nonce}} nonce="{{nonce}}"{{/nonce}}>>
   (function () {
 
     var events = 'focus resize scroll';

views/includes/scripts/loginEcho.html

@@ -1,4 +1,4 @@
-<script type="text/javascript">
+<script type="text/javascript"{{#nonce}} nonce="{{nonce}}"{{/nonce}}>
   (function () {
 
     // NOTE: Keep in sync with helper

views/pages/loginPage.html

@@ -4,7 +4,7 @@
   <title>{{title}}</title>
   {{> includes/head.html }}
   {{#hasCaptcha}}
-  <script src="https://js.hcaptcha.com/1/api.js" async defer></script>
+  <script src="https://js.hcaptcha.com/1/api.js" async="async" defer="defer"></script>
   {{/hasCaptcha}}
 </head>
 <body>