| 
									
										
										
										
											2015-08-04 01:25:34 -07:00
										 |  |  | import helmet from 'helmet'; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-05 10:17:34 +01:00
										 |  |  | import { homeLocation } from '../../../config/env'; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2015-12-22 19:33:25 -08:00
										 |  |  | let trusted = [ | 
					
						
							| 
									
										
										
										
											2019-02-18 19:32:49 +00:00
										 |  |  |   "'self'", | 
					
						
							| 
									
										
										
										
											2018-03-07 15:04:42 +00:00
										 |  |  |   'https://search.freecodecamp.org', | 
					
						
							| 
									
										
										
										
											2018-10-05 10:17:34 +01:00
										 |  |  |   homeLocation, | 
					
						
							| 
									
										
										
										
											2018-06-28 15:02:22 +05:30
										 |  |  |   'https://' + process.env.AUTH0_DOMAIN | 
					
						
							| 
									
										
										
										
											2015-08-04 01:25:34 -07:00
										 |  |  | ]; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-02-22 13:04:21 +00:00
										 |  |  | const host = process.env.HOST || 'localhost'; | 
					
						
							| 
									
										
										
										
											2017-04-21 03:51:55 -07:00
										 |  |  | const port = process.env.SYNC_PORT || '3000'; | 
					
						
							| 
									
										
										
										
											2017-02-22 13:04:21 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2015-12-22 19:33:25 -08:00
										 |  |  | if (process.env.NODE_ENV !== 'production') { | 
					
						
							| 
									
										
										
										
											2018-10-05 10:17:34 +01:00
										 |  |  |   trusted = trusted.concat([`ws://${host}:${port}`, 'http://localhost:8000']); | 
					
						
							| 
									
										
										
										
											2015-12-22 19:33:25 -08:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2015-08-04 01:25:34 -07:00
										 |  |  | export default function csp() { | 
					
						
							| 
									
										
										
										
											2016-05-03 11:32:28 -07:00
										 |  |  |   return helmet.contentSecurityPolicy({ | 
					
						
							| 
									
										
										
										
											2016-01-12 21:45:15 -08:00
										 |  |  |     directives: { | 
					
						
							| 
									
										
										
										
											2016-07-28 20:01:17 -07:00
										 |  |  |       defaultSrc: trusted.concat([ | 
					
						
							|  |  |  |         'https://*.cloudflare.com', | 
					
						
							| 
									
										
										
										
											2018-06-28 21:01:29 +05:30
										 |  |  |         '*.cloudflare.com' | 
					
						
							| 
									
										
										
										
											2016-07-28 20:01:17 -07:00
										 |  |  |       ]), | 
					
						
							| 
									
										
										
										
											2017-01-26 21:07:22 -08:00
										 |  |  |       connectSrc: trusted.concat([ | 
					
						
							| 
									
										
										
										
											2017-03-23 22:26:45 -04:00
										 |  |  |         'https://glitch.com', | 
					
						
							|  |  |  |         'https://*.glitch.com', | 
					
						
							|  |  |  |         'https://*.glitch.me', | 
					
						
							| 
									
										
										
										
											2018-08-15 15:02:41 +05:30
										 |  |  |         'https://*.cloudflare.com', | 
					
						
							|  |  |  |         'https://*.algolia.net' | 
					
						
							| 
									
										
										
										
											2017-01-26 21:07:22 -08:00
										 |  |  |       ]), | 
					
						
							| 
									
										
										
										
											2016-01-12 21:45:15 -08:00
										 |  |  |       scriptSrc: [ | 
					
						
							| 
									
										
										
										
											2019-02-18 19:32:49 +00:00
										 |  |  |         "'unsafe-eval'", | 
					
						
							|  |  |  |         "'unsafe-inline'", | 
					
						
							| 
									
										
										
										
											2016-01-12 21:45:15 -08:00
										 |  |  |         '*.google-analytics.com', | 
					
						
							|  |  |  |         '*.gstatic.com', | 
					
						
							|  |  |  |         'https://*.cloudflare.com', | 
					
						
							|  |  |  |         '*.cloudflare.com', | 
					
						
							|  |  |  |         'https://*.gitter.im', | 
					
						
							|  |  |  |         'https://*.cdnjs.com', | 
					
						
							|  |  |  |         '*.cdnjs.com', | 
					
						
							|  |  |  |         'https://*.jsdelivr.com', | 
					
						
							|  |  |  |         '*.jsdelivr.com', | 
					
						
							|  |  |  |         '*.twimg.com', | 
					
						
							|  |  |  |         'https://*.twimg.com', | 
					
						
							| 
									
										
										
										
											2016-05-04 10:30:47 -07:00
										 |  |  |         '*.youtube.com', | 
					
						
							| 
									
										
										
										
											2018-06-28 21:01:29 +05:30
										 |  |  |         '*.ytimg.com' | 
					
						
							| 
									
										
										
										
											2016-01-12 21:45:15 -08:00
										 |  |  |       ].concat(trusted), | 
					
						
							|  |  |  |       styleSrc: [ | 
					
						
							| 
									
										
										
										
											2019-02-18 19:32:49 +00:00
										 |  |  |         "'unsafe-inline'", | 
					
						
							| 
									
										
										
										
											2016-01-12 21:45:15 -08:00
										 |  |  |         '*.gstatic.com', | 
					
						
							|  |  |  |         '*.googleapis.com', | 
					
						
							|  |  |  |         '*.bootstrapcdn.com', | 
					
						
							|  |  |  |         'https://*.bootstrapcdn.com', | 
					
						
							|  |  |  |         '*.cloudflare.com', | 
					
						
							| 
									
										
										
										
											2016-10-25 23:59:25 +07:00
										 |  |  |         'https://*.cloudflare.com', | 
					
						
							| 
									
										
										
										
											2018-07-31 16:25:03 +01:00
										 |  |  |         'https://use.fontawesome.com' | 
					
						
							| 
									
										
										
										
											2016-01-12 21:45:15 -08:00
										 |  |  |       ].concat(trusted), | 
					
						
							|  |  |  |       fontSrc: [ | 
					
						
							|  |  |  |         '*.cloudflare.com', | 
					
						
							|  |  |  |         'https://*.cloudflare.com', | 
					
						
							|  |  |  |         '*.bootstrapcdn.com', | 
					
						
							|  |  |  |         '*.googleapis.com', | 
					
						
							|  |  |  |         '*.gstatic.com', | 
					
						
							| 
									
										
										
										
											2018-08-15 15:02:41 +05:30
										 |  |  |         'https://*.bootstrapcdn.com', | 
					
						
							|  |  |  |         'https://use.fontawesome.com' | 
					
						
							| 
									
										
										
										
											2016-01-12 21:45:15 -08:00
										 |  |  |       ].concat(trusted), | 
					
						
							|  |  |  |       imgSrc: [ | 
					
						
							|  |  |  |         // allow all input since we have user submitted images for
 | 
					
						
							|  |  |  |         // public profile
 | 
					
						
							|  |  |  |         '*', | 
					
						
							|  |  |  |         'data:' | 
					
						
							|  |  |  |       ], | 
					
						
							| 
									
										
										
										
											2018-10-05 10:17:34 +01:00
										 |  |  |       mediaSrc: ['*.bitly.com', '*.amazonaws.com', '*.twitter.com'].concat( | 
					
						
							|  |  |  |         trusted | 
					
						
							|  |  |  |       ), | 
					
						
							| 
									
										
										
										
											2016-01-12 21:45:15 -08:00
										 |  |  |       frameSrc: [ | 
					
						
							|  |  |  |         '*.gitter.im', | 
					
						
							|  |  |  |         '*.gitter.im https:', | 
					
						
							| 
									
										
										
										
											2016-04-19 00:23:27 -07:00
										 |  |  |         '*.youtube.com', | 
					
						
							| 
									
										
										
										
											2016-01-12 21:45:15 -08:00
										 |  |  |         '*.twitter.com', | 
					
						
							|  |  |  |         '*.ghbtns.com', | 
					
						
							| 
									
										
										
										
											2016-02-09 23:22:42 -05:00
										 |  |  |         '*.freecatphotoapp.com', | 
					
						
							| 
									
										
										
										
											2016-02-13 21:26:59 -05:00
										 |  |  |         'freecodecamp.github.io' | 
					
						
							| 
									
										
										
										
											2016-01-12 21:45:15 -08:00
										 |  |  |       ].concat(trusted) | 
					
						
							|  |  |  |     }, | 
					
						
							| 
									
										
										
										
											2015-08-04 01:25:34 -07:00
										 |  |  |     // set to true if you only want to report errors
 | 
					
						
							|  |  |  |     reportOnly: false, | 
					
						
							|  |  |  |     // set to true if you want to set all headers
 | 
					
						
							|  |  |  |     setAllHeaders: false, | 
					
						
							|  |  |  |     // set to true if you want to force buggy CSP in Safari 5
 | 
					
						
							|  |  |  |     safari5: false | 
					
						
							|  |  |  |   }); | 
					
						
							|  |  |  | } |