forked from sharetribe/ftw-daily
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcsp.js
120 lines (104 loc) · 3.4 KB
/
csp.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
const helmet = require('helmet');
const dev = process.env.REACT_APP_ENV === 'development';
const self = "'self'";
const unsafeInline = "'unsafe-inline'";
const unsafeEval = "'unsafe-eval'";
const data = 'data:';
const blob = 'blob:';
const devImagesMaybe = dev ? ['*.localhost:8000'] : [];
const baseUrl = process.env.REACT_APP_SHARETRIBE_SDK_BASE_URL || 'https://flex-api.sharetribe.com';
// Default CSP whitelist.
//
// NOTE: Do not change these in the customizations, make custom
// additions within the exported function in the bottom of this file.
const defaultDirectives = {
baseUri: [self],
defaultSrc: [self],
childSrc: [blob],
connectSrc: [
self,
baseUrl,
'maps.googleapis.com',
'*.tiles.mapbox.com',
'api.mapbox.com',
'events.mapbox.com',
// Google Analytics
'www.google-analytics.com',
'stats.g.doubleclick.net',
'sentry.io',
'*.stripe.com',
],
fontSrc: [self, data, 'assets-sharetribecom.sharetribe.com', 'fonts.gstatic.com'],
frameSrc: [self, '*.stripe.com'],
imgSrc: [
self,
data,
blob,
...devImagesMaybe,
'*.imgix.net',
'sharetribe.imgix.net', // Safari 9.1 didn't recognize asterisk rule.
// Styleguide placeholder images
'lorempixel.com',
'via.placeholder.com',
'api.mapbox.com',
'maps.googleapis.com',
'*.gstatic.com',
'*.googleapis.com',
'*.ggpht.com',
// Google Analytics
'www.google.com',
'www.google-analytics.com',
'stats.g.doubleclick.net',
'*.stripe.com',
],
scriptSrc: [
self,
unsafeInline,
unsafeEval,
data,
'maps.googleapis.com',
'api.mapbox.com',
'*.google-analytics.com',
'js.stripe.com',
],
styleSrc: [self, unsafeInline, 'fonts.googleapis.com', 'api.mapbox.com'],
};
/**
* Middleware for creating a Content Security Policy
*
* @param {String} reportUri URL where the browser will POST the
* policy violation reports
*
* @param {Boolean} enforceSsl When SSL is enforced, all mixed content
* is blocked/reported by the policy
*
* @param {Boolean} reportOnly In the report mode, requests are only
* reported to the report URL instead of blocked
*/
module.exports = (reportUri, enforceSsl, reportOnly) => {
// ================ START CUSTOM CSP URLs ================ //
// Add custom CSP whitelisted URLs here. See commented example
// below. For format specs and examples, see:
// https://content-security-policy.com/
// Example: extend default img directive with custom domain
// const { imgSrc = [self] } = defaultDirectives;
// const exampleImgSrc = imgSrc.concat('my-custom-domain.example.com');
const customDirectives = {
// Example: Add custom directive override
// imgSrc: exampleImgSrc,
};
// ================ END CUSTOM CSP URLs ================ //
// Helmet v4 expects every value to be iterable so strings or booleans are not supported directly
// If we want to add block-all-mixed-content directive we need to add empty array to directives
// See Helmet's default directives:
// https://github.com/helmetjs/helmet/blob/bdb09348c17c78698b0c94f0f6cc6b3968cd43f9/middlewares/content-security-policy/index.ts#L51
const directives = Object.assign({ reportUri: [reportUri] }, defaultDirectives, customDirectives);
if (enforceSsl) {
directives.blockAllMixedContent = [];
}
// See: https://helmetjs.github.io/docs/csp/
return helmet.contentSecurityPolicy({
directives,
reportOnly,
});
};