From e2876b119d046d60b614e0be364ac4919a8d0424 Mon Sep 17 00:00:00 2001 From: jackyzy823 Date: Thu, 11 Jun 2020 21:57:48 +0800 Subject: [PATCH] add configs to handle content-security-policy correctly for custom fxa urls --- server/config.js | 20 ++++++++++++++++++++ server/routes/index.js | 24 +++++++++++++++++++++--- 2 files changed, 41 insertions(+), 3 deletions(-) diff --git a/server/config.js b/server/config.js index 72b750ea..d212d902 100644 --- a/server/config.js +++ b/server/config.js @@ -145,6 +145,26 @@ const conf = convict({ default: 'https://identity.mozilla.com/apps/send', env: 'FXA_KEY_SCOPE' }, + fxa_csp_oauth_url: { + format: String, + default: '', + env: 'FXA_CSP_OAUTH_URL' + }, + fxa_csp_content_url: { + format: String, + default: '', + env: 'FXA_CSP_CONTENT_URL' + }, + fxa_csp_profile_url: { + format: String, + default: '', + env: 'FXA_CSP_PROFILE_URL' + }, + fxa_csp_profileimage_url: { + format: String, + default: '', + env: 'FXA_CSP_PROFILEIMAGE_URL' + }, survey_url: { format: String, default: '', diff --git a/server/routes/index.js b/server/routes/index.js index 05759815..cb99f141 100644 --- a/server/routes/index.js +++ b/server/routes/index.js @@ -31,8 +31,7 @@ module.exports = function(app) { next(); }); if (!IS_DEV) { - app.use( - helmet.contentSecurityPolicy({ + let csp = { directives: { defaultSrc: ["'self'"], connectSrc: [ @@ -62,9 +61,28 @@ module.exports = function(app) { objectSrc: ["'none'"], reportUri: '/__cspreport__' } - }) + } + + csp.directives.connectSrc.push(config.base_url.replace(/^https:\/\//,'wss://')) + if(config.fxa_csp_oauth_url != ""){ + csp.directives.connectSrc.push(config.fxa_csp_oauth_url) + } + if(config.fxa_csp_content_url != "" ){ + csp.directives.connectSrc.push(config.fxa_csp_content_url) + } + if(config.fxa_csp_profile_url != "" ){ + csp.directives.connectSrc.push(config.fxa_csp_profile_url) + } + if(config.fxa_csp_profileimage_url != ""){ + csp.directives.imgSrc.push(config.fxa_csp_profileimage_url) + } + + + app.use( + helmet.contentSecurityPolicy(csp) ); } + app.use(function(req, res, next) { res.set('Pragma', 'no-cache'); res.set(