Merge pull request #998 from stackernews/fix-middleware-csp-disabled

Fix CSP commented out in middleware
This commit is contained in:
Keyan 2024-03-29 10:06:34 -05:00 committed by GitHub
commit 8a9e4b7472
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 38 additions and 39 deletions

View File

@ -19,47 +19,46 @@ export function middleware (request) {
resp = referrerMiddleware(request) resp = referrerMiddleware(request)
} }
// const nonce = Buffer.from(crypto.randomUUID()).toString('base64') const nonce = Buffer.from(crypto.randomUUID()).toString('base64')
// // we want to load media from other localhost ports during development // we want to load media from other localhost ports during development
// const devSrc = process.env.NODE_ENV === 'development' ? 'localhost:* ' : '' const devSrc = process.env.NODE_ENV === 'development' ? ' localhost:*' : ''
// unsafe-eval is required during development due to react-refresh.js
// see https://github.com/vercel/next.js/issues/14221
const devScriptSrc = process.env.NODE_ENV === 'development' ? " 'unsafe-eval'" : ''
// const cspHeader = [ const cspHeader = [
// // if something is not explicitly allowed, we don't allow it. // if something is not explicitly allowed, we don't allow it.
// "default-src 'none'", "default-src 'none'",
// "font-src 'self' a.stacker.news", "font-src 'self' a.stacker.news",
// // we want to load images from everywhere but we can limit to HTTPS at least // we want to load images from everywhere but we can limit to HTTPS at least
// `img-src 'self' ${devSrc}a.stacker.news m.stacker.news https: data: blob:`, "img-src 'self' a.stacker.news m.stacker.news https: data: blob:" + devSrc,
// `media-src 'self' ${devSrc}a.stacker.news m.stacker.news`, "media-src 'self' a.stacker.news m.stacker.news" + devSrc,
// // Using nonces and strict-dynamic deploys a strict CSP. // Using nonces and strict-dynamic deploys a strict CSP.
// // see https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#strict-policy. // see https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#strict-policy.
// // Old browsers will ignore nonce and strict-dynamic and fallback to host-based matching and unsafe-inline // Old browsers will ignore nonce and strict-dynamic and fallback to host-based matching and unsafe-inline
// process.env.NODE_ENV === 'production' `script-src 'self' 'unsafe-inline' 'nonce-${nonce}' 'strict-dynamic' https:` + devScriptSrc,
// ? `script-src 'self' 'unsafe-inline' 'nonce-${nonce}' 'strict-dynamic' https:` // unsafe-inline for styles is not ideal but okay if script-src is using nonces
// // unsafe-eval is required during development due to react-refresh.js "style-src 'self' a.stacker.news 'unsafe-inline'",
// // see https://github.com/vercel/next.js/issues/14221 "manifest-src 'self'",
// : `script-src 'self' 'unsafe-inline' 'unsafe-eval' 'nonce-${nonce}' 'strict-dynamic' https:`, 'frame-src www.youtube.com platform.twitter.com',
// // unsafe-inline for styles is not ideal but okay if script-src is using nonces "connect-src 'self' https: wss:" + devSrc,
// "style-src 'self' a.stacker.news 'unsafe-inline'", // disable dangerous plugins like Flash
// "manifest-src 'self'", "object-src 'none'",
// 'frame-src www.youtube.com platform.twitter.com', // blocks injection of <base> tags
// `connect-src 'self' ${devSrc}https: wss:`, "base-uri 'none'",
// // disable dangerous plugins like Flash // tell user agents to replace HTTP with HTTPS
// "object-src 'none'", 'upgrade-insecure-requests',
// // blocks injection of <base> tags // prevents any domain from framing the content (defense against clickjacking attacks)
// "base-uri 'none'", "frame-ancestors 'none'"
// // tell user agents to replace HTTP with HTTPS ].join('; ')
// 'upgrade-insecure-requests',
// // prevents any domain from framing the content (defense against clickjacking attacks)
// "frame-ancestors 'none'"
// ].join('; ')
// resp.headers.set('Content-Security-Policy', cspHeader) resp.headers.set('Content-Security-Policy', cspHeader)
// // for browsers that don't support CSP // for browsers that don't support CSP
// resp.headers.set('X-Frame-Options', 'DENY') resp.headers.set('X-Frame-Options', 'DENY')
// // more useful headers // more useful headers
// resp.headers.set('X-Content-Type-Options', 'nosniff') resp.headers.set('X-Content-Type-Options', 'nosniff')
// resp.headers.set('Referrer-Policy', 'origin-when-cross-origin') resp.headers.set('Referrer-Policy', 'origin-when-cross-origin')
// resp.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains') resp.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
return resp return resp
} }