base policies

a82753c7 · tom · 16a6063a · a82753c7 · a82753c7 · a82753c7
Commit a82753c7 authored Sep 02, 2022 by tom
Hide whitespace changes
Inline Side-by-side

Showing with 96 additions and 0 deletions

getCspPolicy.js configs/nextjs/getCspPolicy.js +76 -0

headers.js configs/nextjs/headers.js +17 -0

next.config.js next.config.js +3 -0

No files found.
--- a/configs/nextjs/getCspPolicy.js
+++ b/configs/nextjs/getCspPolicy.js
+const CONSTS = {
+  BLOB: 'blob:',
+  DATA: 'data:',
+  NONE: '\'none\'',
+  REPORT_SAMPLE: `'report-sample'`,
+  SELF: '\'self\'',
+  STRICT_DYNAMIC: `'strict-dynamic'`,
+  UNSAFE_INLINE: '\'unsafe-inline\'',
+  UNSAFE_EVAL: '\'unsafe-eval\'',
+};
+
+const MAIN_DOMAINS = [ '*.blockscout.com', 'blockscout.com' ];
+
+function makePolicyMap() {
+  return {
+    'default-src': [
+      CONSTS.NONE,
+    ],
+
+    'connect-src': [
+      CONSTS.SELF,
+      'sentry.io', '*.sentry.io', // client error monitoring
+    ],
+
+    'script-src': [
+      CONSTS.SELF,
+      ...MAIN_DOMAINS,
+
+      CONSTS.UNSAFE_INLINE,
+      CONSTS.UNSAFE_EVAL,
+    ],
+
+    'style-src': [
+      CONSTS.SELF,
+      ...MAIN_DOMAINS,
+      'fonts.googleapis.com',
+
+      CONSTS.UNSAFE_INLINE,
+    ],
+
+    'img-src': [
+      CONSTS.SELF,
+      CONSTS.DATA,
+      ...MAIN_DOMAINS,
+      // github avatars
+      'avatars.githubusercontent.com',
+    ],
+
+    'font-src': [
+      CONSTS.SELF,
+      CONSTS.DATA,
+      // google fonts
+      '*.gstatic.com',
+      'fonts.googleapis.com',
+    ],
+  };
+}
+
+function getCspPolicy() {
+  const policyMap = makePolicyMap();
+
+  const policyHeader = Object.entries(policyMap)
+    .map(([ key, value ]) => {
+      if (!value || value.length === 0) {
+        return;
+      }
+
+      return [ key, value.join(' ') ].join(' ');
+    })
+    .filter(Boolean)
+    .join(';');
+
+  return policyHeader;
+}
+
+module.exports = getCspPolicy;
--- a/configs/nextjs/headers.js
+++ b/configs/nextjs/headers.js
+const getCspPolicy = require('./getCspPolicy');
+
+async function headers() {
+  return [
+    {
+      source: '/:path*',
+      headers: [
+        {
+          key: 'Content-Security-Policy',
+          value: getCspPolicy(),
+        },
+      ],
+    },
+  ];
+}
+
+module.exports = headers;
--- a/next.config.js
+++ b/next.config.js
@@ -2,6 +2,8 @@ const { withSentryConfig } = require('@sentry/nextjs');
 const withReactSvg = require('next-react-svg');
 const path = require('path');

+const headers = require('./configs/nextjs/headers');
+
 const moduleExports = {
  include: path.resolve(__dirname, 'icons'),
  reactStrictMode: true,
@@ -17,6 +19,7 @@ const moduleExports = {
      },
    ];
  },
+  headers,
  output: 'standalone',
 };