freeCodeCamp/api-server/server/middlewares/csp.js

import helmet from 'helmet';

import { homeLocation } from '../../../config/env';

let trusted = [
  "'self'",
  'https://search.freecodecamp.org',
  homeLocation,
  'https://' + process.env.AUTH0_DOMAIN
];

const host = process.env.HOST || 'localhost';
const port = process.env.SYNC_PORT || '3000';

if (process.env.FREECODECAMP_NODE_ENV !== 'production') {
  trusted = trusted.concat([`ws://${host}:${port}`, 'http://localhost:8000']);
}

export default function csp() {
  return helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: trusted.concat([
        'https://*.cloudflare.com',
        '*.cloudflare.com'
      ]),
      connectSrc: trusted.concat([
        'https://glitch.com',
        'https://*.glitch.com',
        'https://*.glitch.me',
        'https://*.cloudflare.com',
        'https://*.algolia.net'
      ]),
      scriptSrc: [
        "'unsafe-eval'",
        "'unsafe-inline'",
        '*.google-analytics.com',
        '*.gstatic.com',
        'https://*.cloudflare.com',
        '*.cloudflare.com',
        'https://*.gitter.im',
        'https://*.cdnjs.com',
        '*.cdnjs.com',
        'https://*.jsdelivr.com',
        '*.jsdelivr.com',
        '*.twimg.com',
        'https://*.twimg.com',
        '*.youtube.com',
        '*.ytimg.com'
      ].concat(trusted),
      styleSrc: [
        "'unsafe-inline'",
        '*.gstatic.com',
        '*.googleapis.com',
        '*.bootstrapcdn.com',
        'https://*.bootstrapcdn.com',
        '*.cloudflare.com',
        'https://*.cloudflare.com',
        'https://use.fontawesome.com'
      ].concat(trusted),
      fontSrc: [
        '*.cloudflare.com',
        'https://*.cloudflare.com',
        '*.bootstrapcdn.com',
        '*.googleapis.com',
        '*.gstatic.com',
        'https://*.bootstrapcdn.com',
        'https://use.fontawesome.com'
      ].concat(trusted),
      imgSrc: [
        // allow all input since we have user submitted images for
        // public profile
        '*',
        'data:'
      ],
      mediaSrc: ['*.bitly.com', '*.amazonaws.com', '*.twitter.com'].concat(
        trusted
      ),
      frameSrc: [
        '*.gitter.im',
        '*.gitter.im https:',
        '*.youtube.com',
        '*.twitter.com',
        '*.ghbtns.com',
        '*.freecatphotoapp.com',
        'freecodecamp.github.io'
      ].concat(trusted)
    },
    // set to true if you only want to report errors
    reportOnly: false,
    // set to true if you want to set all headers
    setAllHeaders: false,
    // set to true if you want to force buggy CSP in Safari 5
    safari5: false
  });
}
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`import helmet from 'helmet';`

fix(description): Adjust for new description format 2018-10-05 10:17:34 +01:00			`import { homeLocation } from '../../../config/env';`

Make structure changes to hikes 2015-12-22 19:33:25 -08:00			`let trusted = [`
feat: Use prettier-eslint to format code 2019-02-18 19:32:49 +00:00			`"'self'",`
feat(opbeat): Enable opbeat-react for frontend performance tracking 2018-03-07 15:04:42 +00:00			`'https://search.freecodecamp.org',`
fix(description): Adjust for new description format 2018-10-05 10:17:34 +01:00			`homeLocation,`
fix(auth): Remove deprecated views and routes 2018-06-28 15:02:22 +05:30			`'https://' + process.env.AUTH0_DOMAIN`
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`];`

fix: Update config to be flexible for host 2017-02-22 13:04:21 +00:00			`const host = process.env.HOST \|\| 'localhost';`
fix(csp): ws connection during dev uses SYNC_PORT only (#14483) 2017-04-21 03:51:55 -07:00			`const port = process.env.SYNC_PORT \|\| '3000';`
fix: Update config to be flexible for host 2017-02-22 13:04:21 +00:00
fix: NODE_ENV conflicts on pipelines 2019-08-19 01:19:40 +05:30			`if (process.env.FREECODECAMP_NODE_ENV !== 'production') {`
fix(description): Adjust for new description format 2018-10-05 10:17:34 +01:00			trusted = trusted.concat([`ws://${host}:${port}`, 'http://localhost:8000']);
Make structure changes to hikes 2015-12-22 19:33:25 -08:00			`}`

use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`export default function csp() {`
helmet.csp -> helmet.contentSecurityPolicy Also updated frameguard 2016-05-03 11:32:28 -07:00			`return helmet.contentSecurityPolicy({`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`directives: {`
Feature(challenges): Load and cache required files 2016-07-28 20:01:17 -07:00			`defaultSrc: trusted.concat([`
			`'https://*.cloudflare.com',`
fix(csp): Update policy for FA and remove optimizely 2018-06-28 21:01:29 +05:30			`'*.cloudflare.com'`
Feature(challenges): Load and cache required files 2016-07-28 20:01:17 -07:00			`]),`
feat(challenges): add backend challenge infrastructure (#11058) * Feat: Initial backend view * Feat: Refactor frame runner * Feat: backend challenge submit runs tests * Feat: Backend challenge request * Feat: Whitelist hyperdev in csp * Fix: Use app tests instead of challenge tests * Feat: Allow hyperdev subdomains * Fix(csp): allow hypderdev.space subdomains * feat(challenge): submit backend * feat: Add timeout to test runner (5 sec) * chore(seed): Add more to test backend * fix(csp): s/hyperdev/gomix/g * fix(app): fix code mirror skeleton filepath * fix(app): remove Gitter saga import * fix(app): codemirrorskeleton does not need it's own folder fix(app): cmk needs to work with Null types * fix: No longer restart the browser when challenges change * fix(app): Update jquery for challenges * fix(seed): Remove to promise jquery call * fix(lint): Undo merge error undefined is no allowed * fix(app): linting errors due to bad merge * fix(seed): Remove old seed file 2017-01-26 21:07:22 -08:00			`connectSrc: trusted.concat([`
Fix: replace all GoMix with Glitch 2017-03-23 22:26:45 -04:00			`'https://glitch.com',`
			`'https://*.glitch.com',`
			`'https://*.glitch.me',`
fix: url and CSP for deps 2018-08-15 15:02:41 +05:30			`'https://*.cloudflare.com',`
			`'https://*.algolia.net'`
feat(challenges): add backend challenge infrastructure (#11058) * Feat: Initial backend view * Feat: Refactor frame runner * Feat: backend challenge submit runs tests * Feat: Backend challenge request * Feat: Whitelist hyperdev in csp * Fix: Use app tests instead of challenge tests * Feat: Allow hyperdev subdomains * Fix(csp): allow hypderdev.space subdomains * feat(challenge): submit backend * feat: Add timeout to test runner (5 sec) * chore(seed): Add more to test backend * fix(csp): s/hyperdev/gomix/g * fix(app): fix code mirror skeleton filepath * fix(app): remove Gitter saga import * fix(app): codemirrorskeleton does not need it's own folder fix(app): cmk needs to work with Null types * fix: No longer restart the browser when challenges change * fix(app): Update jquery for challenges * fix(seed): Remove to promise jquery call * fix(lint): Undo merge error undefined is no allowed * fix(app): linting errors due to bad merge * fix(seed): Remove old seed file 2017-01-26 21:07:22 -08:00			`]),`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`scriptSrc: [`
feat: Use prettier-eslint to format code 2019-02-18 19:32:49 +00:00			`"'unsafe-eval'",`
			`"'unsafe-inline'",`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`'*.google-analytics.com',`
			`'*.gstatic.com',`
			`'https://*.cloudflare.com',`
			`'*.cloudflare.com',`
			`'https://*.gitter.im',`
			`'https://*.cdnjs.com',`
			`'*.cdnjs.com',`
			`'https://*.jsdelivr.com',`
			`'*.jsdelivr.com',`
			`'*.twimg.com',`
			`'https://*.twimg.com',`
Switch react lecture component to youtube 2016-05-04 10:30:47 -07:00			`'*.youtube.com',`
fix(csp): Update policy for FA and remove optimizely 2018-06-28 21:01:29 +05:30			`'*.ytimg.com'`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`].concat(trusted),`
			`styleSrc: [`
feat: Use prettier-eslint to format code 2019-02-18 19:32:49 +00:00			`"'unsafe-inline'",`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`'*.gstatic.com',`
			`'*.googleapis.com',`
			`'*.bootstrapcdn.com',`
			`'https://*.bootstrapcdn.com',`
			`'*.cloudflare.com',`
fix optimizely csp for script-src 2016-10-25 23:59:25 +07:00			`'https://*.cloudflare.com',`
fix(csp): Add fontaesome.com to trusted styleSrc 2018-07-31 16:25:03 +01:00			`'https://use.fontawesome.com'`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`].concat(trusted),`
			`fontSrc: [`
			`'*.cloudflare.com',`
			`'https://*.cloudflare.com',`
			`'*.bootstrapcdn.com',`
			`'*.googleapis.com',`
			`'*.gstatic.com',`
fix: url and CSP for deps 2018-08-15 15:02:41 +05:30			`'https://*.bootstrapcdn.com',`
			`'https://use.fontawesome.com'`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`].concat(trusted),`
			`imgSrc: [`
			`// allow all input since we have user submitted images for`
			`// public profile`
			`'*',`
			`'data:'`
			`],`
fix(description): Adjust for new description format 2018-10-05 10:17:34 +01:00			`mediaSrc: ['.bitly.com', '.amazonaws.com', '*.twitter.com'].concat(`
			`trusted`
			`),`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`frameSrc: [`
			`'*.gitter.im',`
			`'*.gitter.im https:',`
Update CSP to remove vimeo and add youtube 2016-04-19 00:23:27 -07:00			`'*.youtube.com',`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`'*.twitter.com',`
			`'*.ghbtns.com',`
adding wiki as detached and integrating into .less folder 2016-02-09 23:22:42 -05:00			`'*.freecatphotoapp.com',`
Lint pass 2016-02-13 21:26:59 -05:00			`'freecodecamp.github.io'`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`].concat(trusted)`
			`},`
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`// set to true if you only want to report errors`
			`reportOnly: false,`
			`// set to true if you want to set all headers`
			`setAllHeaders: false,`
			`// set to true if you want to force buggy CSP in Safari 5`
			`safari5: false`
			`});`
			`}`