ekzyis
/
stacker.news
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Allow http: and ws: in dev CSP (#1126) 

* Allow HTTP in dev build

* Also allow ws://
This commit is contained in:
ekzyis 2024-05-03 14:17:10 -05:00 committed by GitHub
parent 4961cc045b
commit 98a27caaa9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/validate.js
View File

@ -604,7 +604,7 @@ export const lnbitsSchema = object({
url: process.env.NODE_ENV === 'development' url: process.env.NODE_ENV === 'development'
? string() ? string()
.or([string().matches(/^(http:\/\/)?localhost:\d+$/), string().url()], 'invalid url') .or([string().matches(/^(http:\/\/)?localhost:\d+$/), string().url()], 'invalid url')
.required('required').trim().https() .required('required').trim()
: string().url().required('required').trim().https(), : string().url().required('required').trim().https(),
adminKey: string().length(32) adminKey: string().length(32)
}) })

8
middleware.js
View File

@ -19,12 +19,14 @@ export function middleware (request) {
resp = referrerMiddleware(request) resp = referrerMiddleware(request)
} }
const isDev = process.env.NODE_ENV === 'development'
const nonce = Buffer.from(crypto.randomUUID()).toString('base64') const nonce = Buffer.from(crypto.randomUUID()).toString('base64')
// we want to load media from other localhost ports during development // we want to load media from other localhost ports during development
const devSrc = process.env.NODE_ENV === 'development' ? ' localhost:*' : '' const devSrc = isDev ? ' localhost:* http: ws:' : ''
// unsafe-eval is required during development due to react-refresh.js // unsafe-eval is required during development due to react-refresh.js
// see https://github.com/vercel/next.js/issues/14221 // see https://github.com/vercel/next.js/issues/14221
const devScriptSrc = process.env.NODE_ENV === 'development' ? " 'unsafe-eval'" : '' const devScriptSrc = isDev ? " 'unsafe-eval'" : ''
const cspHeader = [ const cspHeader = [
// if something is not explicitly allowed, we don't allow it. // if something is not explicitly allowed, we don't allow it.
@ -47,7 +49,7 @@ export function middleware (request) {
// blocks injection of <base> tags // blocks injection of <base> tags
"base-uri 'none'", "base-uri 'none'",
// tell user agents to replace HTTP with HTTPS // tell user agents to replace HTTP with HTTPS
'upgrade-insecure-requests', isDev ? '' : 'upgrade-insecure-requests',
// prevents any domain from framing the content (defense against clickjacking attacks) // prevents any domain from framing the content (defense against clickjacking attacks)
"frame-ancestors 'none'" "frame-ancestors 'none'"
].join('; ') ].join('; ')