better formatted csp
This commit is contained in:
parent
e02347486f
commit
d51335b630
|
@ -9,6 +9,30 @@ const cspHashOf = (text) => {
|
||||||
return `'sha256-${hash.digest('base64')}'`;
|
return `'sha256-${hash.digest('base64')}'`;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
const convertToCSPString = (csp) => {
|
||||||
|
let cspStr = '';
|
||||||
|
for (const k in csp) {
|
||||||
|
if (Object.prototype.hasOwnProperty.call(csp, k)) {
|
||||||
|
cspStr += `${k} ${csp[k]}; `;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return cspStr;
|
||||||
|
};
|
||||||
|
|
||||||
|
const BASE_CSP_DIRECTIVES = {
|
||||||
|
'default-src': "'none'",
|
||||||
|
'report-uri': 'https://csp-reporter.ente.workers.dev',
|
||||||
|
'report-to': 'https://csp-reporter.ente.workers.dev',
|
||||||
|
'style-src': "'self'",
|
||||||
|
'font-src': "'self'",
|
||||||
|
};
|
||||||
|
|
||||||
|
const DEV_CSP_DIRECTIVES = {
|
||||||
|
'default-src': "'self'",
|
||||||
|
'style-src': "'self' 'unsafe-inline'",
|
||||||
|
'font-src': "'self' data:",
|
||||||
|
};
|
||||||
|
|
||||||
export default class MyDocument extends Document {
|
export default class MyDocument extends Document {
|
||||||
static async getInitialProps(ctx) {
|
static async getInitialProps(ctx) {
|
||||||
const sheet = new ServerStyleSheet();
|
const sheet = new ServerStyleSheet();
|
||||||
|
@ -37,24 +61,31 @@ export default class MyDocument extends Document {
|
||||||
}
|
}
|
||||||
|
|
||||||
render() {
|
render() {
|
||||||
let csp = `default-src 'self'; object-src 'none'; report-uri https://csp-reporter.ente.workers.dev; report-to https://csp-reporter.ente.workers.dev; script-src 'self' ${cspHashOf(
|
let csp = {
|
||||||
NextScript.getInlineScriptSource(this.props)
|
...BASE_CSP_DIRECTIVES,
|
||||||
)}`;
|
'script-src': `'self' ${cspHashOf(
|
||||||
if (process.env.NODE_ENV !== 'production') {
|
|
||||||
csp = `style-src 'self' 'unsafe-inline'; font-src 'self' data:; default-src 'self'; script-src 'unsafe-eval' 'self' ${cspHashOf(
|
|
||||||
NextScript.getInlineScriptSource(this.props)
|
NextScript.getInlineScriptSource(this.props)
|
||||||
)}`;
|
)}`,
|
||||||
|
};
|
||||||
|
if (process.env.NODE_ENV !== 'production') {
|
||||||
|
csp = {
|
||||||
|
...BASE_CSP_DIRECTIVES,
|
||||||
|
...DEV_CSP_DIRECTIVES,
|
||||||
|
'script-src': `'unsafe-eval' 'self' ${cspHashOf(
|
||||||
|
NextScript.getInlineScriptSource(this.props)
|
||||||
|
)}`,
|
||||||
|
};
|
||||||
}
|
}
|
||||||
return (
|
return (
|
||||||
<Html lang="en">
|
<Html lang="en">
|
||||||
<Head>
|
<Head>
|
||||||
<meta
|
<meta
|
||||||
name="description"
|
httpEquiv="Content-Security-Policy-Report-Only"
|
||||||
content="ente is a privacy focussed photo storage service that offers end-to-end encryption."
|
content={convertToCSPString(csp)}
|
||||||
/>
|
/>
|
||||||
<meta
|
<meta
|
||||||
httpEquiv="Content-Security-Policy-Report-Only"
|
name="description"
|
||||||
content={csp}
|
content="ente is a privacy focussed photo storage service that offers end-to-end encryption."
|
||||||
/>
|
/>
|
||||||
<link
|
<link
|
||||||
rel="icon"
|
rel="icon"
|
||||||
|
|
Loading…
Reference in a new issue