2373dab221
Tested by: making this change, and connecting to Phoenix museum (which serves the secondary hot storage), and verifying that the CSP policy reports that were getting logged to console no longer appear.
58 lines
1.9 KiB
JavaScript
58 lines
1.9 KiB
JavaScript
const cp = require('child_process');
|
|
const { getIsSentryEnabled } = require('./sentryConfigUtil');
|
|
|
|
module.exports = {
|
|
COOP_COEP_HEADERS: {
|
|
'Cross-Origin-Opener-Policy': 'same-origin',
|
|
'Cross-Origin-Embedder-Policy': 'require-corp',
|
|
},
|
|
|
|
WEB_SECURITY_HEADERS: {
|
|
'Strict-Transport-Security': ' max-age=63072000',
|
|
'X-Content-Type-Options': 'nosniff',
|
|
'X-Download-Options': 'noopen',
|
|
'X-Frame-Options': 'deny',
|
|
'X-XSS-Protection': '1; mode=block',
|
|
'Referrer-Policy': 'same-origin',
|
|
},
|
|
|
|
CSP_DIRECTIVES: {
|
|
// self is safe enough
|
|
'default-src': "'self'",
|
|
// data to allow two factor qr code
|
|
'img-src': "'self' blob: data:",
|
|
'media-src': "'self' blob:",
|
|
'manifest-src': "'self'",
|
|
'style-src': "'self' 'unsafe-inline'",
|
|
'font-src ': "'self'; script-src 'self' 'unsafe-eval' blob:",
|
|
'connect-src':
|
|
"'self' https://*.ente.io http://localhost:8080 data: blob: https://ente-prod-eu.s3.eu-central-003.backblazeb2.com https://ente-prod-v3.s3.eu-central-2.wasabisys.com/",
|
|
'base-uri ': "'self'",
|
|
// to allow worker
|
|
'child-src': "'self' blob:",
|
|
'object-src': "'none'",
|
|
'frame-ancestors': " 'none'",
|
|
'form-action': "'none'",
|
|
'report-uri': ' https://csp-reporter.ente.io/local',
|
|
'report-to': ' https://csp-reporter.ente.io/local',
|
|
},
|
|
|
|
ALL_ROUTES: '/(.*)',
|
|
|
|
buildCSPHeader: (directives) => ({
|
|
'Content-Security-Policy-Report-Only': Object.entries(
|
|
directives
|
|
).reduce((acc, [key, value]) => acc + `${key} ${value};`, ''),
|
|
}),
|
|
|
|
convertToNextHeaderFormat: (headers) =>
|
|
Object.entries(headers).map(([key, value]) => ({ key, value })),
|
|
|
|
getGitSha: () =>
|
|
cp.execSync('git rev-parse --short HEAD', {
|
|
cwd: __dirname,
|
|
encoding: 'utf8',
|
|
}),
|
|
getIsSentryEnabled: getIsSentryEnabled,
|
|
};
|