From 9822cc67f94d4cea3f6deac631ea13b4ba921c42 Mon Sep 17 00:00:00 2001 From: Berkeley Martinez Date: Mon, 7 Dec 2015 15:30:54 -0800 Subject: [PATCH 1/2] Reduce header size This is needed to move to cloudFlare --- server/middlewares/csp.js | 90 +++++++++++++-------------------------- 1 file changed, 29 insertions(+), 61 deletions(-) diff --git a/server/middlewares/csp.js b/server/middlewares/csp.js index 391f9bb450..83e3562448 100644 --- a/server/middlewares/csp.js +++ b/server/middlewares/csp.js @@ -1,87 +1,55 @@ import helmet from 'helmet'; const trusted = [ - "'self'", - 'blob:', - '104.236.218.15', - '*.freecodecamp.com', - 'http://www.freecodecamp.com', - 'http://freecodecamp.com', - 'https://www.freecodecamp.com', - 'https://freecodecamp.com', - 'https://freecodecamp.org', - '*.freecodecamp.org', - // NOTE(berks): add the following as the blob above was not covering www - 'http://www.freecodecamp.org', - 'ws://freecodecamp.com/', - 'ws://www.freecodecamp.com/', - '*.gstatic.com', - '*.google-analytics.com', - '*.googleapis.com', - '*.google.com', - '*.gstatic.com', - '*.doubleclick.net', - '*.twitter.com', - '*.twitch.tv', - '*.twimg.com', - "'unsafe-eval'", - "'unsafe-inline'", - '*.bootstrapcdn.com', - '*.cloudflare.com', - 'https://*.cloudflare.com', - 'localhost:3001', - 'ws://localhost:3001/', - 'http://localhost:3001', - 'localhost:3000', - 'ws://localhost:3000/', - 'http://localhost:3000', - '*.ionicframework.com', - 'https://syndication.twitter.com', - '*.youtube.com', - '*.jsdelivr.net', - 'https://*.jsdelivr.net', - '*.ytimg.com', - '*.bitly.com', - 'http://cdn.inspectlet.com/', - 'https://cdn.inspeclet.com/', - 'wss://inspectletws.herokuapp.com/', - 'http://hn.inspectlet.com/', - '*.googleapis.com', - '*.gstatic.com', - 'https://hn.inspectlet.com/', - 'https://*.github.com' + "'self'" ]; export default function csp() { return helmet.csp({ defaultSrc: trusted, scriptSrc: [ + "'unsafe-eval'", + "'unsafe-inline'", + '*.google-analytics.com', + '*.gstatic.com', + 'https://*.cloudflare.com', + '*.cloudflare.com', 'https://*.gitter.im', - '*.optimizely.com', - '*.aspnetcdn.com', - '*.d3js.org', - 'https://cdn.inspectlet.com/inspectlet.js', - 'http://cdn.inspectlet.com/inspectlet.js', - 'http://beta.freecodecamp.com' + 'https://*.cdnjs.com', + '*.cdnjs.com', + 'https://*.jsdelivr.com', + '*.jsdelivr.com', + '*.twimg.com', + 'https://*.twimg.com' ].concat(trusted), 'connect-src': [ 'vimeo.com' ].concat(trusted), styleSrc: [ + "'unsafe-inline'", + '*.gstatic.com', '*.googleapis.com', - '*.gstatic.com' + '*.bootstrapcdn.com', + 'https://*.bootstrapcdn.com', + '*.cloudflare.com', + 'https://*.cloudflare.com' + ].concat(trusted), + fontSrc: [ + '*.cloudflare.com', + 'https://*.cloudflare.com', + '*.bootstrapcdn.com', + '*.googleapis.com', + '*.gstatic.com', + 'https://*.bootstrapcdn.com' ].concat(trusted), imgSrc: [ // allow all input since we have user submitted images for // public profile '*', 'data:' - ].concat(trusted), - fontSrc: [ - '*.googleapis.com', - '*.gstatic.com' - ].concat(trusted), + ], mediaSrc: [ + '*.bitly.com', '*.amazonaws.com', '*.twitter.com' ].concat(trusted), From 0f75aa3b882e07a05a29e5bcf692038a364207b8 Mon Sep 17 00:00:00 2001 From: Berkeley Martinez Date: Wed, 9 Dec 2015 11:02:06 -0800 Subject: [PATCH 2/2] Add freecatphotoapp to csp --- server/middlewares/csp.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/server/middlewares/csp.js b/server/middlewares/csp.js index 83e3562448..80b41e5fbe 100644 --- a/server/middlewares/csp.js +++ b/server/middlewares/csp.js @@ -22,7 +22,7 @@ export default function csp() { '*.twimg.com', 'https://*.twimg.com' ].concat(trusted), - 'connect-src': [ + connectSrc: [ 'vimeo.com' ].concat(trusted), styleSrc: [ @@ -58,7 +58,8 @@ export default function csp() { '*.gitter.im https:', '*.vimeo.com', '*.twitter.com', - '*.ghbtns.com' + '*.ghbtns.com', + '*.freecatphotoapp.com' ].concat(trusted), // set to true if you only want to report errors reportOnly: false,