Skip to content

F
frontend
Commit 370b1c00 authored by tom's avatar tom
Browse files
Options

set wildcard for img-src and disable report-only in dev mode

parent 9b51e2a1
Hide whitespace changes
Inline Side-by-side
Showing with 17 additions and 28 deletions
lib/csp/policies/app.ts
View file @ 370b1c00
import type CspDev from 'csp-dev'; import type CspDev from 'csp-dev';
import appConfig from 'configs/app/config'; import appConfig from 'configs/app/config';
import featuredNetworks from 'lib/networks/featuredNetworks';
import { KEY_WORDS } from '../utils'; import { KEY_WORDS } from '../utils';
...@@ -13,16 +12,6 @@ const MAIN_DOMAINS = [ ...@@ -13,16 +12,6 @@ const MAIN_DOMAINS = [
// eslint-disable-next-line no-restricted-properties // eslint-disable-next-line no-restricted-properties
const REPORT_URI = process.env.SENTRY_CSP_REPORT_URI; const REPORT_URI = process.env.SENTRY_CSP_REPORT_URI;
function getNetworksExternalAssetsHosts() {
const icons = featuredNetworks
.filter(({ icon }) => typeof icon === 'string')
.map(({ icon }) => new URL(icon as string).host);
const logo = appConfig.network.logo ? new URL(appConfig.network.logo).host : undefined;
return logo ? icons.concat(logo) : icons;
}
function getMarketplaceAppsHosts() { function getMarketplaceAppsHosts() {
return { return {
frames: appConfig.marketplaceAppList.map(({ url }) => new URL(url).host), frames: appConfig.marketplaceAppList.map(({ url }) => new URL(url).host),
...@@ -87,23 +76,23 @@ export default function generateAppDescriptor(): CspDev.DirectiveDescriptor { ...@@ -87,23 +76,23 @@ export default function generateAppDescriptor(): CspDev.DirectiveDescriptor {
KEY_WORDS.DATA, KEY_WORDS.DATA,
...MAIN_DOMAINS, ...MAIN_DOMAINS,
// github assets (e.g trustwallet token icons) // we agreed that using wildcard for images is mostly safe
'raw.githubusercontent.com', // why do we have to use it? the main reason is that for NFT and inventory pages we get resources urls from API only on the client
// so they cannot be added to the policy on the server
// auth0 assets and avatars // there could be 3 possible workarounds
's.gravatar.com', // a/ use server side rendering approach, that we don't want to do
'i0.wp.com', 'i1.wp.com', 'i2.wp.com', 'i3.wp.com', // b/ wrap every image/video in iframe with a source to static page for which we enforce certain img-src rule;
'lh3.googleusercontent.com', // google avatars // the downsides is page performance slowdown and code complexity (have to manage click on elements, color mode for
'avatars.githubusercontent.com', // github avatars // embedded page, etc)
// c/ use wildcard for img-src directive; this can lead to some security vulnerabilities but we were unable to find evidence
// network assets // that loose img-src directive alone could cause serious flaws on the site as long as we keep script-src and connect-src strict
...getNetworksExternalAssetsHosts(), //
// feel free to propose alternative solution and fix this
// marketplace apps logos '*',
...marketplaceAppsHosts.logos, ],
// token's media 'media-src': [
'ipfs.io', '*', // see comment for img-src directive
], ],
'font-src': [ 'font-src': [
......
middleware.ts
View file @ 370b1c00
...@@ -28,7 +28,7 @@ export function middleware(req: NextRequest) { ...@@ -28,7 +28,7 @@ export function middleware(req: NextRequest) {
const end = Date.now(); const end = Date.now();
const res = NextResponse.next(); const res = NextResponse.next();
res.headers.append('Content-Security-Policy-Report-Only', cspPolicy); res.headers.append(appConfig.isDev ? 'Content-Security-Policy' : 'Content-Security-Policy-Report-Only', cspPolicy);
res.headers.append('Server-Timing', `middleware;dur=${ end - start }`); res.headers.append('Server-Timing', `middleware;dur=${ end - start }`);
return res; return res;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment