rewrite

155948f3 · tom · a82753c7 · 155948f3 · 155948f3 · 155948f3
Commit 155948f3 authored Sep 05, 2022 by tom
Show whitespace changes
Inline Side-by-side

Showing with 117 additions and 7 deletions

headers.js configs/nextjs/headers.js +7 -4

getCspPolicy.ts lib/csp/getCspPolicy.ts +103 -0

isDev.ts lib/isDev.ts +3 -0

_document.tsx pages/_document.tsx +4 -3

No files found.
--- a/configs/nextjs/headers.js
+++ b/configs/nextjs/headers.js
-const getCspPolicy = require('./getCspPolicy');
 async function headers() {
  return [
    {
      source: '/:path*',
      headers: [
+        // security headers from here - https://nextjs.org/docs/advanced-features/security-headers
+        {
+          key: 'X-Frame-Options',
+          value: 'SAMEORIGIN',
+        },
        {
-          key: 'Content-Security-Policy',
+          key: 'X-Content-Type-Options',
-          value: getCspPolicy(),
+          value: 'nosniff',
        },
      ],
    },

--- a/configs/nextjs/getCspPolicy.js
+++ b/configs/nextjs/getCspPolicy.js
-const CONSTS = {
+import isDev from 'lib/isDev';
-  BLOB: 'blob:',
-  DATA: 'data:',
+enum KEY_WORDS {
-  NONE: '\'none\'',
+  BLOB = 'blob:',
-  REPORT_SAMPLE: `'report-sample'`,
+  DATA = 'data:',
-  SELF: '\'self\'',
+  NONE = '\'none\'',
-  STRICT_DYNAMIC: `'strict-dynamic'`,
+  REPORT_SAMPLE = `'report-sample'`,
-  UNSAFE_INLINE: '\'unsafe-inline\'',
+  SELF = '\'self\'',
-  UNSAFE_EVAL: '\'unsafe-eval\'',
+  STRICT_DYNAMIC = `'strict-dynamic'`,
-};
+  UNSAFE_INLINE = '\'unsafe-inline\'',
+  UNSAFE_EVAL = '\'unsafe-eval\'',
+}
 const MAIN_DOMAINS = [ '*.blockscout.com', 'blockscout.com' ];
 function makePolicyMap() {
  return {
    'default-src': [
-      CONSTS.NONE,
+      KEY_WORDS.NONE,
    ],
    'connect-src': [
-      CONSTS.SELF,
+      KEY_WORDS.SELF,
-      'sentry.io', '*.sentry.io', // client error monitoring
+      // webpack hmr in safari doesn't recognize localhost 'self' for some reason
+      isDev() ? 'ws://localhost:3000/_next/webpack-hmr' : '',
+      // client error monitoring
+      'sentry.io', '*.sentry.io',
    ],
    'script-src': [
-      CONSTS.SELF,
+      KEY_WORDS.SELF,
+      // next.js generates and rebuilds source maps in dev using eval()
+      // https://github.com/vercel/next.js/issues/14221#issuecomment-657258278
+      isDev() ? KEY_WORDS.UNSAFE_EVAL : '',
      ...MAIN_DOMAINS,
-      CONSTS.UNSAFE_INLINE,
+      // hash of ColorModeScript
-      CONSTS.UNSAFE_EVAL,
+      '\'sha256-e7MRMmTzLsLQvIy1iizO1lXf7VWYoQ6ysj5fuUzvRwE=\'',
    ],
    'style-src': [
-      CONSTS.SELF,
+      KEY_WORDS.SELF,
      ...MAIN_DOMAINS,
+      // google fonts
      'fonts.googleapis.com',
-      CONSTS.UNSAFE_INLINE,
+      // yes, it is unsafe as it stands, but
+      // - we cannot use hashes because all styles are generated dynamically
+      // - we cannot use nonces since we are not following along SSR path
+      // - and still there is very small damage that can be cause by CSS-based XSS-attacks
+      // so we hope we are fine here till the first major incident :)
+      KEY_WORDS.UNSAFE_INLINE,
    ],
    'img-src': [
-      CONSTS.SELF,
+      KEY_WORDS.SELF,
-      CONSTS.DATA,
+      KEY_WORDS.DATA,
      ...MAIN_DOMAINS,
      // github avatars
      'avatars.githubusercontent.com',
    ],
    'font-src': [
-      CONSTS.SELF,
+      KEY_WORDS.DATA,
-      CONSTS.DATA,
      // google fonts
      '*.gstatic.com',
      'fonts.googleapis.com',
    ],
+    'object-src': [
+      KEY_WORDS.NONE,
+    ],
+    'base-uri': [
+      KEY_WORDS.NONE,
+    ],
  };
 }
-function getCspPolicy() {
+export default function getCspPolicy() {
  const policyMap = makePolicyMap();
  const policyHeader = Object.entries(policyMap)
@@ -72,5 +101,3 @@ function getCspPolicy() {
  return policyHeader;
 }
-module.exports = getCspPolicy;
--- a/lib/isDev.ts
+++ b/lib/isDev.ts
+export default function isDev() {
+  return process.env.NODE_ENV === 'development';
+}
--- a/pages/_document.tsx
+++ b/pages/_document.tsx
@@ -2,6 +2,7 @@ import { ColorModeScript } from '@chakra-ui/react';
 import Document, { Html, Head, Main, NextScript } from 'next/document';
 import React from 'react';
+import getCspPolicy from 'lib/csp/getCspPolicy';
 import theme from 'theme';
 class MyDocument extends Document {
@@ -13,9 +14,9 @@ class MyDocument extends Document {
            href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600&display=swap"
            rel="stylesheet"
          />
-          <link
+          <meta
-            href="https://fonts.googleapis.com/css2?family=Raleway:ital,wght@0,500;0,600;1,400&display=swap"
+            httpEquiv="Content-Security-Policy"
-            rel="stylesheet"
+            content={ getCspPolicy() }
          />
        </Head>
        <body>