Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2025-04-24 01:18:01 +02:00
Code Issues Projects Releases Wiki Activity

feat: fix csp headers for feedback form (#3617)

Browse Source 
Fix feedback form failing due to missing csp headers
This commit is contained in:
Jaanus Sellin 2023-04-25 13:40:55 +03:00 committed by GitHub
parent 8c7c3c34f4
commit 28f61e05ff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/lib/__snapshots__/create-config.test.ts.snap
View File

@ -4,6 +4,7 @@ exports[`should create default config 1`] = `
{
"accessControlMaxAge": 86400,
"additionalCspAllowedDomains": {
"connectSrc": [],
"defaultSrc": [],
"fontSrc": [],
"imgSrc": [],

9
src/lib/create-config.test.ts
View File

@ -277,6 +277,7 @@ test('should yield all empty lists when no additionalCspAllowedDomains are set',
expect(config.additionalCspAllowedDomains.styleSrc).toStrictEqual([]);
expect(config.additionalCspAllowedDomains.scriptSrc).toStrictEqual([]);
expect(config.additionalCspAllowedDomains.imgSrc).toStrictEqual([]);
expect(config.additionalCspAllowedDomains.connectSrc).toStrictEqual([]);
});
test('If additionalCspAllowedDomains is set in config map, passes through', async () => {
@ -287,6 +288,7 @@ test('If additionalCspAllowedDomains is set in config map, passes through', asyn
styleSrc: [],
scriptSrc: [],
imgSrc: [],
connectSrc: [],
},
});
expect(config.additionalCspAllowedDomains).toBeDefined();
@ -297,6 +299,7 @@ test('If additionalCspAllowedDomains is set in config map, passes through', asyn
expect(config.additionalCspAllowedDomains.styleSrc).toStrictEqual([]);
expect(config.additionalCspAllowedDomains.scriptSrc).toStrictEqual([]);
expect(config.additionalCspAllowedDomains.imgSrc).toStrictEqual([]);
expect(config.additionalCspAllowedDomains.connectSrc).toStrictEqual([]);
});
test('Can set partial additionalCspDomains', () => {
@ -321,6 +324,7 @@ test.each([
['CSP_ALLOWED_STYLE', 'googlefonts.com', 'styleSrc'],
['CSP_ALLOWED_SCRIPT', 'googlefonts.com', 'scriptSrc'],
['CSP_ALLOWED_IMG', 'googlefonts.com', 'imgSrc'],
['CSP_ALLOWED_CONNECT', 'googlefonts.com', 'connectSrc'],
])(
'When %s is set to %s. %s should include passed in domain',
(env, domain, key) => {
@ -342,6 +346,7 @@ test('When multiple CSP environment variables are set, respects them all', () =>
process.env.CSP_ALLOWED_DEFAULT = 'googlefonts.com';
process.env.CSP_ALLOWED_IMG = 'googlefonts.com';
process.env.CSP_ALLOWED_SCRIPT = 'plausible.getunleash.io';
process.env.CSP_ALLOWED_CONNECT = 'plausible.getunleash.io';
const config = createConfig({});
expect(config.additionalCspAllowedDomains.imgSrc).toStrictEqual([
'googlefonts.com',
@ -352,9 +357,13 @@ test('When multiple CSP environment variables are set, respects them all', () =>
expect(config.additionalCspAllowedDomains.scriptSrc).toStrictEqual([
'plausible.getunleash.io',
]);
expect(config.additionalCspAllowedDomains.connectSrc).toStrictEqual([
'plausible.getunleash.io',
]);
delete process.env.CSP_ALLOWED_DEFAULT;
delete process.env.CSP_ALLOWED_IMG;
delete process.env.CSP_ALLOWED_SCRIPT;
delete process.env.CSP_ALLOWED_CONNECT;
});
test('Supports multiple domains comma separated in environment variables', () => {

3
src/lib/create-config.ts
View File

@ -310,6 +310,7 @@ const parseCspConfig = (
scriptSrc: cspConfig.scriptSrc || [],
imgSrc: cspConfig.imgSrc || [],
styleSrc: cspConfig.styleSrc || [],
connectSrc: cspConfig.connectSrc || [],
};
};
@ -319,12 +320,14 @@ const parseCspEnvironmentVariables = (): ICspDomainConfig => {
const styleSrc = process.env.CSP_ALLOWED_STYLE?.split(',') || [];
const scriptSrc = process.env.CSP_ALLOWED_SCRIPT?.split(',') || [];
const imgSrc = process.env.CSP_ALLOWED_IMG?.split(',') || [];
const connectSrc = process.env.CSP_ALLOWED_CONNECT?.split(',') || [];
return {
defaultSrc,
fontSrc,
styleSrc,
scriptSrc,
imgSrc,
connectSrc,
};
};

7
src/lib/middleware/secure-headers.ts
View File

@ -47,6 +47,13 @@ const secureHeaders: (config: IUnleashConfig) => RequestHandler = (config) => {
'gravatar.com',
...config.additionalCspAllowedDomains.imgSrc,
],
connectSrc: [
"'self'",
'cdn.getunleash.io',
'gravatar.com',
'europe-west3-metrics-304612.cloudfunctions.net',
...config.additionalCspAllowedDomains.connectSrc,
],
},
},
crossOriginEmbedderPolicy: false,

2
src/lib/types/option.ts
View File

@ -159,6 +159,7 @@ export interface ICspDomainOptions {
styleSrc?: string[];
scriptSrc?: string[];
imgSrc?: string[];
connectSrc?: string[];
}
export interface ICspDomainConfig {
@ -167,6 +168,7 @@ export interface ICspDomainConfig {
styleSrc: string[];
scriptSrc: string[];
imgSrc: string[];
connectSrc: string[];
}
interface IFrontendApi {

1
website/docs/reference/deploy/configuring-unleash.md
View File

@ -107,6 +107,7 @@ unleash.start(unleashOptions);
- You can set the environment variable CSP_ALLOWED_STYLE to allow new styleSrc (comma separated list)
- You can set the environment variable CSP_ALLOWED_SCRIPT to allow new scriptSrc (comma separated list)
- You can set the environment variable CSP_ALLOWED_IMG to allow new imgSrc (comma separated list)
- You can set the environment variable CSP_ALLOWED_CONNECT to allow new connectSrc (comma separated list)
- **server** - The server config object taking the following properties
- _port_ - which port the unleash-server should bind to. If port is omitted or is 0, the operating system will assign an arbitrary unused port. Will be ignored if pipe is specified. This value may also be set via the `HTTP_PORT` environment variable
- _host_ - which host the unleash-server should bind to. If host is omitted, the server will accept connections on the unspecified IPv6 address (::) when IPv6 is available, or the unspecified IPv4 address (0.0.0.0) otherwise. This value may also be set via the `HTTP_HOST` environment variable