Skip to content

Commit

Permalink
Add strict CSP
Browse files Browse the repository at this point in the history
Part of #296.
  • Loading branch information
domenic committed Nov 2, 2022
1 parent 46509ab commit 2382866
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 2 deletions.
2 changes: 2 additions & 0 deletions lib/app.js
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ const handlebars = require("handlebars");
const httpGracefulShutdown = require("http-graceful-shutdown");
const routes = require("./routes.js");

const csp = require("./server-infra/csp.js");
const errorHandler = require("./server-infra/error-handler.js");
const handlebarsSectionHelper = require("./server-infra/handlebars-section-helper.js");
const headers = require("./server-infra/headers.js");
Expand All @@ -29,6 +30,7 @@ app
section: handlebarsSectionHelper
}
}))
.use(csp)
.use(errorHandler)
.use(headers)
.use(router.routes())
Expand Down
11 changes: 11 additions & 0 deletions lib/server-infra/csp.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
"use strict";
const { randomUUID } = require("crypto");

module.exports = async (ctx, next) => {
const nonce = randomUUID();
ctx.state.cspNonce = nonce;

ctx.set("Content-Security-Policy", `object-src 'none'; script-src 'nonce-${nonce}'; base-uri 'none';`);

await next();
};
2 changes: 1 addition & 1 deletion views/agreement-status.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ label.disabled-control {
<output id="result"></output>
</form>

<script>
<script nonce="{{@koa.state.cspNonce}}">
"use strict";
(() => {
const form = document.querySelector("#refresh-pr");
Expand Down
2 changes: 1 addition & 1 deletion views/agreement.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,7 @@ input[type="submit"] {
</div>
</details>

<script>
<script nonce="{{@koa.state.cspNonce}}">
"use strict";
(() => {
// Synchronize Scope options
Expand Down

0 comments on commit 2382866

Please sign in to comment.