Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-30 06:08:48 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Fix SECURITY ISSUE 2: Access to boards of any Orgs/Teams, and avatar permissions.

Browse source 
Thanks to Siam Thanat Hack (STH) !
This commit is contained in:
Lauri Ojansivu 2025-11-02 09:11:50 +02:00
parent e9a727301d
commit f26d582018
9 changed files with 347 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

21
server/cors.js
View file

@ -1,18 +1,11 @@
Meteor.startup(() => {
// Set Permissions-Policy header to suppress browser warnings about experimental features
WebApp.rawConnectHandlers.use(function(req, res, next) {
// Disable experimental advertising and privacy features that cause browser warnings
res.setHeader('Permissions-Policy',
'browsing-topics=(), ' +
'run-ad-auction=(), ' +
'join-ad-interest-group=(), ' +
'private-state-token-redemption=(), ' +
'private-state-token-issuance=(), ' +
'private-aggregation=(), ' +
'attribution-reporting=()'
);
return next();
});
// Optional: Set Permissions-Policy only if explicitly provided to avoid browser warnings about unrecognized features
if (process.env.PERMISSIONS_POLICY && process.env.PERMISSIONS_POLICY.trim() !== '') {
WebApp.rawConnectHandlers.use(function(req, res, next) {
res.setHeader('Permissions-Policy', process.env.PERMISSIONS_POLICY);
return next();
});
}
if (process.env.CORS) {
// Listen to incoming HTTP requests, can only be used on the server