Allow setting base-uri - Githubissues

nlf / blankie

a hapi CSP plugin

52 stars 20 forks source link

Allow setting base-uri #19

Closed klaemo closed 7 years ago

klaemo commented 7 years ago

Hey there, I think it would be helpful to be able to set the base-uri. Currently I haven't found a way to do that with blankie. Am I missing something?

As per Google's CSP evaluator:

Missing base-uri allows the injection of base tags. They can be used to set the base URL for all relative (script) URLs to an attacker controlled domain.

Thank you for this plugin!

ghost commented 7 years ago

Nope, not possible atm with Blankie. You have to set it manually,

plugins/securityHeaders.js (super simple example):

'use strict';
exports.register = (server, options, next) => {
    server.ext('onPreResponse', (req, res) => {
        const set = req.response;

        if (set.header) {
            set.header('Content-Security-Policy', 'base-uri https://example.com;');
        }
        res.continue();
    });
    next();
};

exports.register.attributes = {
    version: '1.0.0',
    name: 'securityHeaders'
};