Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

💥 custom CSP will always extend Shopify domain and default development domain #1593

Merged
merged 3 commits into from
Jan 5, 2024
Merged

💥 custom CSP will always extend Shopify domain and default development domain #1593

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
463e551
✨ add applyDefault option to createContentSecurityPolicy
michenly Dec 21, 2023
3ba3585
Update .changeset/heavy-coins-tickle.md
michenly Jan 3, 2024
3f88fbd
🔥 remove applyDefault option and make extension the default behaviour
michenly Jan 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 18 additions & 0 deletions .changeset/heavy-coins-tickle.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
'@shopify/hydrogen': patch
---

✨ add applyDefault option to createContentSecurityPolicy which allow use to add policy in front of the existing rules instead of overriding them. The default value of applyDefault option is false which is the current behaviour.
Copy link
Contributor

@blittle blittle Jan 3, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
✨ add applyDefault option to createContentSecurityPolicy which allow use to add policy in front of the existing rules instead of overriding them. The default value of applyDefault option is false which is the current behaviour.
✨ add `applyDefault` option to `createContentSecurityPolicy` which automatically adds Shopify domains to the content security policy, extending whatever rules are passed instead of overriding them. The default value of `applyDefault` option is false which is the current behavior.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually thinking about this more, I think almost always if the user provides a custom CSP, they will probably also want to keep the Shopify domains as well. So perhaps this should be default to true, or inverse it and default it to false. Sure it would be a breaking change, but it's relatively minor, and we can make a breaking change for the 2024-01 release. So now would be the time to do it. Thoughts?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@blittle 👍 true say. Since including Shopify domains really just allow more CSP, nothing should really break.
I will edit and make this PR a breaking change and use extending as the default.


Example usage:

```diff
const {nonce, header, NonceProvider} = createContentSecurityPolicy(
{connectSrc: 'wss://public-domain:*'},
+ {applyDefault: true},
);
```

Result of connect-src when `applyDefault=false` is "wss://public-domain:\*"

Result of connect-src when `applyDefault=true` is "wss://public-domain:\* 'self' 'https://cdn.shopify.com' 'https://shopify.com'"
28 changes: 27 additions & 1 deletion packages/hydrogen/src/csp/csp.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,10 @@ type ContentSecurityPolicy = {
*/
export function createContentSecurityPolicy(
directives: Record<string, string[] | string | boolean> = {},
options: {applyDefault?: boolean} = {},
): ContentSecurityPolicy {
const nonce = generateNonce();
const header = createCSPHeader(nonce, directives);
const header = createCSPHeader(nonce, directives, options?.applyDefault);

const Provider = ({children}: {children: ReactNode}) => {
return createElement(NonceProvider, {value: nonce}, children);
Expand All @@ -44,6 +45,7 @@ export function createContentSecurityPolicy(
function createCSPHeader(
nonce: string,
directives: Record<string, string[] | string | boolean> = {},
applyDefault = false,
): string {
const nonceString = `'nonce-${nonce}'`;
const styleSrc = ["'self'", "'unsafe-inline'", 'https://cdn.shopify.com'];
Expand Down Expand Up @@ -78,6 +80,14 @@ function createCSPHeader(
}

const combinedDirectives = Object.assign({}, defaultDirectives, directives);
if (applyDefault) {
for (const key in defaultDirectives) {
combinedDirectives[key] = addCspDirective(
directives[key],
defaultDirectives[key],
);
}
}

// Make sure that at least script-src includes a nonce directive.
// If someone doesn't want a nonce in their CSP, they probably
Expand All @@ -98,3 +108,19 @@ function createCSPHeader(
directives: combinedDirectives,
});
}

function addCspDirective(
currentValue: string[] | string | boolean,
value: string[] | string | boolean,
): boolean | string[] {
const normalizedValue = typeof value === 'string' ? [value] : value;
const normalizedCurrentValue = Array.isArray(currentValue)
? currentValue
: [String(currentValue)];

const newValue = Array.isArray(normalizedValue)
? [...normalizedCurrentValue, ...normalizedValue]
: normalizedValue;

return newValue;
}