Skip to content

Commit 63195dd

Browse files
pimterrypimterry
committed
Move from report-only to real CSP after testing
1 parent f5c615b commit 63195dd

File tree

2 files changed

+55
-13
lines changed

2 files changed

+55
-13
lines changed

Caddyfile

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,5 +19,6 @@
1919
header Referrer-Policy "strict-origin"
2020
header X-Clacks-Overhead "GNU Terry Pratchett" # https://xclacksoverhead.org
2121

22-
import /site/csp.caddyfile # Generated by webpack
22+
import /site/csp-report.caddyfile # Generated by webpack
23+
import /site/csp-strict.caddyfile # Generated by webpack
2324
}

automation/webpack.prod.ts

Lines changed: 53 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,23 @@ console.log(CSP_REPORT_URL
2525
: `CSP reporting skipped (uri: ${process.env.REPORT_URI}. version: ${process.env.UI_VERSION})`
2626
);
2727

28+
29+
// Output compiled CSP into a Caddy config file, that's later imported by our Caddyfile:
30+
const processCsp = (type: 'report' | 'strict') => (
31+
builtPolicy: any,
32+
_htmlPluginData: any,
33+
_obj: any,
34+
compilation: any
35+
) => {
36+
const header = `
37+
header ${
38+
type === 'strict' ? 'Content-Security-Policy' : 'Content-Security-Policy-Report-Only'
39+
} "${builtPolicy}"
40+
header Reporting-Endpoints \`csp-endpoint="${CSP_REPORT_URL}"\`
41+
`;
42+
compilation.emitAsset(`csp-${type}.caddyfile`, new RawSource(header));
43+
}
44+
2845
export default merge(common, {
2946
mode: "production",
3047

@@ -129,6 +146,8 @@ export default merge(common, {
129146
}),
130147
...(CSP_REPORT_URL
131148
? [
149+
150+
// Report-only CSP, covering roughly where we're aiming to be right now:
132151
new CspHtmlWebpackPlugin({
133152
'base-uri': "'self'",
134153
'default-src': "'none'",
@@ -143,6 +162,7 @@ export default merge(common, {
143162
'script-src': [
144163
"'report-sample'",
145164
"'unsafe-eval'", // For both wasm & real eval() uses
165+
"'wasm-unsafe-eval'",
146166
"'self'",
147167
'https://cdn.auth0.com', 'https://cdn.eu.auth0.com', 'https://secure.gravatar.com'
148168
],
@@ -164,18 +184,39 @@ export default merge(common, {
164184
'style-src': false
165185
},
166186
// Output CSP into a Caddy config file, that's imported by Caddyfile
167-
processFn: (
168-
builtPolicy: any,
169-
_htmlPluginData: any,
170-
_obj: any,
171-
compilation: any
172-
) => {
173-
const header = `
174-
header Content-Security-Policy-Report-Only "${builtPolicy}"
175-
header Reporting-Endpoints \`csp-endpoint="${CSP_REPORT_URL}"\`
176-
`;
177-
compilation.emitAsset('csp.caddyfile', new RawSource(header));
178-
}
187+
processFn: processCsp('report')
188+
} as any),
189+
// Actually strict CSP, covering what I'm pretty sure tested & known to be
190+
// safe right now:
191+
new CspHtmlWebpackPlugin({
192+
'base-uri': "'self'",
193+
'default-src': "*",
194+
'object-src': "'none'",
195+
'frame-ancestors': "'none'",
196+
'img-src': "*",
197+
'font-src': "*",
198+
'style-src': ["'report-sample'", "*", "'unsafe-inline'"],
199+
'frame-src': "https://login.httptoolkit.tech",
200+
'script-src': [
201+
"'report-sample'",
202+
"'unsafe-eval'", // For both wasm & real eval() uses
203+
"'wasm-unsafe-eval'",
204+
"'self'",
205+
"*"
206+
],
207+
'report-uri': CSP_REPORT_URL,
208+
'report-to': 'csp-endpoint'
209+
}, {
210+
enabled: true,
211+
hashEnabled: {
212+
'script-src': true,
213+
'style-src': false
214+
},
215+
nonceEnabled: {
216+
'script-src': false,
217+
'style-src': false
218+
},
219+
processFn: processCsp('strict')
179220
} as any)
180221
]
181222
: [])

0 commit comments

Comments
 (0)