freeCodeCamp/server/middlewares/csp.js

import helmet from 'helmet';

let trusted = [
  "'self'"
];

const host = process.env.HOST || 'localhost';
const port = process.env.SYNC_PORT || '3000';

if (process.env.NODE_ENV !== 'production') {
  trusted = trusted.concat([
    `ws://${host}:${port}`
  ]);
}

export default function csp() {
  return helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: trusted.concat([
        'https://*.cloudflare.com',
        '*.cloudflare.com',
        'https://*.optimizely.com'
      ]),
      connectSrc: trusted.concat([
        'https://glitch.com',
        'https://*.glitch.com',
        'https://*.glitch.me',
        'https://*.cloudflare.com'
      ]),
      scriptSrc: [
        "'unsafe-eval'",
        "'unsafe-inline'",
        '*.google-analytics.com',
        '*.gstatic.com',
        'https://*.cloudflare.com',
        '*.cloudflare.com',
        'https://*.gitter.im',
        'https://*.cdnjs.com',
        '*.cdnjs.com',
        'https://*.jsdelivr.com',
        '*.jsdelivr.com',
        '*.twimg.com',
        'https://*.twimg.com',
        '*.youtube.com',
        '*.ytimg.com',
        'https://*.optimizely.com'
      ].concat(trusted),
      styleSrc: [
        "'unsafe-inline'",
        '*.gstatic.com',
        '*.googleapis.com',
        '*.bootstrapcdn.com',
        'https://*.bootstrapcdn.com',
        '*.cloudflare.com',
        'https://*.cloudflare.com',
        'https://*.optimizely.com'
      ].concat(trusted),
      fontSrc: [
        '*.cloudflare.com',
        'https://*.cloudflare.com',
        '*.bootstrapcdn.com',
        '*.googleapis.com',
        '*.gstatic.com',
        'https://*.bootstrapcdn.com',
        'https://*.optimizely.com'
      ].concat(trusted),
      imgSrc: [
        // allow all input since we have user submitted images for
        // public profile
        '*',
        'data:'
      ],
      mediaSrc: [
        '*.bitly.com',
        '*.amazonaws.com',
        '*.twitter.com'
      ].concat(trusted),
      frameSrc: [
        '*.gitter.im',
        '*.gitter.im https:',
        '*.youtube.com',
        '*.twitter.com',
        '*.ghbtns.com',
        '*.freecatphotoapp.com',
        'freecodecamp.github.io'
      ].concat(trusted)
    },
    // set to true if you only want to report errors
    reportOnly: false,
    // set to true if you want to set all headers
    setAllHeaders: false,
    // set to true if you want to force buggy CSP in Safari 5
    safari5: false
  });
}
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`import helmet from 'helmet';`

Make structure changes to hikes 2015-12-22 19:33:25 -08:00			`let trusted = [`
Reduce header size This is needed to move to cloudFlare 2015-12-07 15:30:54 -08:00			`"'self'"`
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`];`

fix: Update config to be flexible for host 2017-02-22 13:04:21 +00:00			`const host = process.env.HOST \|\| 'localhost';`
fix(csp): ws connection during dev uses SYNC_PORT only (#14483) 2017-04-21 03:51:55 -07:00			`const port = process.env.SYNC_PORT \|\| '3000';`
fix: Update config to be flexible for host 2017-02-22 13:04:21 +00:00
Make structure changes to hikes 2015-12-22 19:33:25 -08:00			`if (process.env.NODE_ENV !== 'production') {`
Add webpack cold reloading On changes to the react bundle webpack will store the current redux state in localStorage, waits (to allow the server to restart) then refreshes the page. On page load, it checks if it has state stored and loads it into the app. 2016-03-14 17:22:56 -07:00			`trusted = trusted.concat([`
fix: Update config to be flexible for host 2017-02-22 13:04:21 +00:00			`ws://${host}:${port}`
Add webpack cold reloading On changes to the react bundle webpack will store the current redux state in localStorage, waits (to allow the server to restart) then refreshes the page. On page load, it checks if it has state stored and loads it into the app. 2016-03-14 17:22:56 -07:00			`]);`
Make structure changes to hikes 2015-12-22 19:33:25 -08:00			`}`

use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`export default function csp() {`
helmet.csp -> helmet.contentSecurityPolicy Also updated frameguard 2016-05-03 11:32:28 -07:00			`return helmet.contentSecurityPolicy({`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`directives: {`
Feature(challenges): Load and cache required files 2016-07-28 20:01:17 -07:00			`defaultSrc: trusted.concat([`
			`'https://*.cloudflare.com',`
fix optimizely csp for script-src 2016-10-25 23:59:25 +07:00			`'*.cloudflare.com',`
			`'https://*.optimizely.com'`
Feature(challenges): Load and cache required files 2016-07-28 20:01:17 -07:00			`]),`
feat(challenges): add backend challenge infrastructure (#11058) * Feat: Initial backend view * Feat: Refactor frame runner * Feat: backend challenge submit runs tests * Feat: Backend challenge request * Feat: Whitelist hyperdev in csp * Fix: Use app tests instead of challenge tests * Feat: Allow hyperdev subdomains * Fix(csp): allow hypderdev.space subdomains * feat(challenge): submit backend * feat: Add timeout to test runner (5 sec) * chore(seed): Add more to test backend * fix(csp): s/hyperdev/gomix/g * fix(app): fix code mirror skeleton filepath * fix(app): remove Gitter saga import * fix(app): codemirrorskeleton does not need it's own folder fix(app): cmk needs to work with Null types * fix: No longer restart the browser when challenges change * fix(app): Update jquery for challenges * fix(seed): Remove to promise jquery call * fix(lint): Undo merge error undefined is no allowed * fix(app): linting errors due to bad merge * fix(seed): Remove old seed file 2017-01-26 21:07:22 -08:00			`connectSrc: trusted.concat([`
Fix: replace all GoMix with Glitch 2017-03-23 22:26:45 -04:00			`'https://glitch.com',`
			`'https://*.glitch.com',`
			`'https://*.glitch.me',`
feat(challenges): add backend challenge infrastructure (#11058) * Feat: Initial backend view * Feat: Refactor frame runner * Feat: backend challenge submit runs tests * Feat: Backend challenge request * Feat: Whitelist hyperdev in csp * Fix: Use app tests instead of challenge tests * Feat: Allow hyperdev subdomains * Fix(csp): allow hypderdev.space subdomains * feat(challenge): submit backend * feat: Add timeout to test runner (5 sec) * chore(seed): Add more to test backend * fix(csp): s/hyperdev/gomix/g * fix(app): fix code mirror skeleton filepath * fix(app): remove Gitter saga import * fix(app): codemirrorskeleton does not need it's own folder fix(app): cmk needs to work with Null types * fix: No longer restart the browser when challenges change * fix(app): Update jquery for challenges * fix(seed): Remove to promise jquery call * fix(lint): Undo merge error undefined is no allowed * fix(app): linting errors due to bad merge * fix(seed): Remove old seed file 2017-01-26 21:07:22 -08:00			`'https://*.cloudflare.com'`
			`]),`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`scriptSrc: [`
			`"'unsafe-eval'",`
			`"'unsafe-inline'",`
			`'*.google-analytics.com',`
			`'*.gstatic.com',`
			`'https://*.cloudflare.com',`
			`'*.cloudflare.com',`
			`'https://*.gitter.im',`
			`'https://*.cdnjs.com',`
			`'*.cdnjs.com',`
			`'https://*.jsdelivr.com',`
			`'*.jsdelivr.com',`
			`'*.twimg.com',`
			`'https://*.twimg.com',`
Switch react lecture component to youtube 2016-05-04 10:30:47 -07:00			`'*.youtube.com',`
fix optimizely csp for script-src 2016-10-25 23:59:25 +07:00			`'*.ytimg.com',`
			`'https://*.optimizely.com'`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`].concat(trusted),`
			`styleSrc: [`
			`"'unsafe-inline'",`
			`'*.gstatic.com',`
			`'*.googleapis.com',`
			`'*.bootstrapcdn.com',`
			`'https://*.bootstrapcdn.com',`
			`'*.cloudflare.com',`
fix optimizely csp for script-src 2016-10-25 23:59:25 +07:00			`'https://*.cloudflare.com',`
			`'https://*.optimizely.com'`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`].concat(trusted),`
			`fontSrc: [`
			`'*.cloudflare.com',`
			`'https://*.cloudflare.com',`
			`'*.bootstrapcdn.com',`
			`'*.googleapis.com',`
			`'*.gstatic.com',`
fix optimizely csp for script-src 2016-10-25 23:59:25 +07:00			`'https://*.bootstrapcdn.com',`
			`'https://*.optimizely.com'`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`].concat(trusted),`
			`imgSrc: [`
			`// allow all input since we have user submitted images for`
			`// public profile`
			`'*',`
			`'data:'`
			`],`
			`mediaSrc: [`
			`'*.bitly.com',`
			`'*.amazonaws.com',`
			`'*.twitter.com'`
			`].concat(trusted),`
			`frameSrc: [`
			`'*.gitter.im',`
			`'*.gitter.im https:',`
Update CSP to remove vimeo and add youtube 2016-04-19 00:23:27 -07:00			`'*.youtube.com',`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`'*.twitter.com',`
			`'*.ghbtns.com',`
adding wiki as detached and integrating into .less folder 2016-02-09 23:22:42 -05:00			`'*.freecatphotoapp.com',`
Lint pass 2016-02-13 21:26:59 -05:00			`'freecodecamp.github.io'`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`].concat(trusted)`
			`},`
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`// set to true if you only want to report errors`
			`reportOnly: false,`
			`// set to true if you want to set all headers`
			`setAllHeaders: false,`
			`// set to true if you want to force buggy CSP in Safari 5`
			`safari5: false`
			`});`
			`}`