Merge pull request #1480 from jackyzy823/fxa-csp

Handle Content-Security-Policy for self hosting FxA
This commit is contained in:
Danny Coates 2020-07-09 19:31:06 -07:00 committed by GitHub
commit 7dd1fcca9b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 41 additions and 3 deletions

View file

@ -155,6 +155,26 @@ const conf = convict({
default: 'https://identity.mozilla.com/apps/send', default: 'https://identity.mozilla.com/apps/send',
env: 'FXA_KEY_SCOPE' env: 'FXA_KEY_SCOPE'
}, },
fxa_csp_oauth_url: {
format: String,
default: '',
env: 'FXA_CSP_OAUTH_URL'
},
fxa_csp_content_url: {
format: String,
default: '',
env: 'FXA_CSP_CONTENT_URL'
},
fxa_csp_profile_url: {
format: String,
default: '',
env: 'FXA_CSP_PROFILE_URL'
},
fxa_csp_profileimage_url: {
format: String,
default: '',
env: 'FXA_CSP_PROFILEIMAGE_URL'
},
survey_url: { survey_url: {
format: String, format: String,
default: '', default: '',

View file

@ -31,8 +31,7 @@ module.exports = function(app) {
next(); next();
}); });
if (!IS_DEV) { if (!IS_DEV) {
app.use( let csp = {
helmet.contentSecurityPolicy({
directives: { directives: {
defaultSrc: ["'self'"], defaultSrc: ["'self'"],
connectSrc: [ connectSrc: [
@ -62,9 +61,28 @@ module.exports = function(app) {
objectSrc: ["'none'"], objectSrc: ["'none'"],
reportUri: '/__cspreport__' reportUri: '/__cspreport__'
} }
}) }
csp.directives.connectSrc.push(config.base_url.replace(/^https:\/\//,'wss://'))
if(config.fxa_csp_oauth_url != ""){
csp.directives.connectSrc.push(config.fxa_csp_oauth_url)
}
if(config.fxa_csp_content_url != "" ){
csp.directives.connectSrc.push(config.fxa_csp_content_url)
}
if(config.fxa_csp_profile_url != "" ){
csp.directives.connectSrc.push(config.fxa_csp_profile_url)
}
if(config.fxa_csp_profileimage_url != ""){
csp.directives.imgSrc.push(config.fxa_csp_profileimage_url)
}
app.use(
helmet.contentSecurityPolicy(csp)
); );
} }
app.use(function(req, res, next) { app.use(function(req, res, next) {
res.set('Pragma', 'no-cache'); res.set('Pragma', 'no-cache');
res.set( res.set(