feat(runtime): add csp reporting url env var (#81)

americanexpress · Apr 8, 2020 · f6faa53 · f6faa53
1 parent 8b65858
commit f6faa53
Show file tree

Hide file tree

Showing 9 changed files with 75 additions and 19 deletions.
diff --git a/__tests__/server/config/env/runTime.spec.js b/__tests__/server/config/env/runTime.spec.js
@@ -43,6 +43,7 @@ describe('runTime', () => {
     'HOLOCRON_SERVER_MAX_MODULES_RETRY',
     'HOLOCRON_SERVER_MAX_SIM_MODULES_FETCH',
     'ONE_CLIENT_REPORTING_URL',
+    'ONE_CLIENT_CSP_REPORTING_URL',
     'ONE_CLIENT_CDN_URL',
     'ONE_CLIENT_LOCALE_FILENAME',
     'ONE_CLIENT_ROOT_MODULE_NAME',
@@ -297,6 +298,21 @@ describe('runTime', () => {
     });
   });
 
+  describe('ONE_CLIENT_CSP_REPORTING_URL', () => {
+    const clientCSPReportingUrl = getEnvVarConfig('ONE_CLIENT_CSP_REPORTING_URL');
+
+    it('has a default value for development', () => {
+      process.env.NODE_ENV = 'development';
+      expect(clientCSPReportingUrl.defaultValue()).toBeDefined();
+      expect(clientCSPReportingUrl.defaultValue()).toMatch(/^https?:\/\//);
+    });
+
+    it('has no default value for production', () => {
+      process.env.NODE_ENV = 'production';
+      expect(clientCSPReportingUrl.defaultValue()).not.toBeDefined();
+    });
+  });
+
   describe('ONE_CLIENT_CDN_URL', () => {
     const clientCdnUrl = getEnvVarConfig('ONE_CLIENT_CDN_URL');
 

diff --git a/docs/api/server/Environment-Variables.md b/docs/api/server/Environment-Variables.md
@@ -23,6 +23,7 @@ One App can be configured via Environment Variables:
   * [`NODE_ENV`](#node_env)
   * [`ONE_CLIENT_LOCALE_FILENAME`](#one_client_locale_filename)
   * [`ONE_CLIENT_REPORTING_URL`](#one_client_reporting_url) ⚠️
+  * [`ONE_CLIENT_CSP_REPORTING_URL`](#one_client_csp_reporting_url) ⚠️
   * [`ONE_CLIENT_ROOT_MODULE_NAME`](#one_client_root_module_name) ⚠️
   * [`ONE_CLIENT_CDN_URL`](#one_client_cdn_url) ⚠️
   * [`ONE_CONFIG_ENV`](#one_config_env)
@@ -136,7 +137,7 @@ HOLOCRON_SERVER_MAX_SIM_MODULES_FETCH=30
 > ⚠️ Requires [`HTTPS_PRIVATE_KEY_PATH`] and [`HTTPS_PUBLIC_CERT_CHAIN_PATH`] to be set.
 
 **Runs In**
-* ✅ Production 
+* ✅ Production
 * ✅ Development
 
 Sets the port on which One App will listen for requests.
@@ -154,10 +155,10 @@ HTTPS_PORT=443
 ## `HTTPS_PRIVATE_KEY_PASS_FILE_PATH`
 
 **Runs In**
-* ✅ Production 
+* ✅ Production
 * ✅ Development
 
-The file path to a file containing a shared passphrase for single private key (See [Node documentation on `passphrase` for `tls.createSecureContext`](https://nodejs.org/api/tls.html#tls_tls_connect_options_callback)). 
+The file path to a file containing a shared passphrase for single private key (See [Node documentation on `passphrase` for `tls.createSecureContext`](https://nodejs.org/api/tls.html#tls_tls_connect_options_callback)).
 
 **Shape**
 ```bash
@@ -172,7 +173,7 @@ HTTPS_PRIVATE_KEY_PASS_FILE_PATH=./some-extra-certs.pem
 ## `HTTPS_PRIVATE_KEY_PATH`
 
 **Runs In**
-* ✅ Production 
+* ✅ Production
 * ✅ Development
 
 The file path to the private key of an SSL Certificate.
@@ -192,7 +193,7 @@ HTTPS_PRIVATE_KEY_PATH=./some-private-key.pem
 > ⚠️ Required by [`HTTPS_PORT`]
 
 **Runs In**
-* ✅ Production 
+* ✅ Production
 * ✅ Development
 
 The file path to the public key of an SSL Certificate.
@@ -212,7 +213,7 @@ HTTPS_PUBLIC_CERT_CHAIN_PATH=./some-cert.pem
 > ⚠️ Required by [`HTTPS_PORT`]
 
 **Runs In**
-* ✅ Production 
+* ✅ Production
 * ✅ Development
 
 The file path to a file containing one or more certs to trust over the system default. See [Node documentation on `ca` option in `tls.createSecureContext`](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options).
@@ -292,7 +293,7 @@ HTTP_ONE_APP_DEV_PROXY_SERVER_PORT=undefined
 ## `HTTP_PORT`
 
 **Runs In**
-* ✅ Production 
+* ✅ Production
 * ✅ Development
 
 Sets the port on which One App will listen for requests.
@@ -310,7 +311,7 @@ HTTP_PORT=3000
 ## `IP_ADDRESS`
 
 **Runs In**
-* ✅ Production 
+* ✅ Production
 * ✅ Development
 
 Specify a specific IP Address for One App to bind to.
@@ -328,7 +329,7 @@ IP_ADDRESS=192.168.1.1
 ## `NODE_ENV`
 
 **Runs In**
-* ✅ Production 
+* ✅ Production
 * ✅ Development
 
 May be set to either `production` or `development`. When set to `development` additional tooling
@@ -405,7 +406,7 @@ ONE_CLIENT_LOCALE_FILENAME=undefined
 * ✅ Production
 * ✅ Development
 
-URL where browser should send client side errors to. Defaults to `/_` if `NODE_ENV` is set to
+URL where browser should send client side errors to. Defaults to `/_/report/errors` if `NODE_ENV` is set to
 `development` and is undefined otherwise.
 
 **Shape**
@@ -421,11 +422,40 @@ ONE_CLIENT_REPORTING_URL=https://my-app-errors.com/client
 **Default Value**
 ```bash
 # if NODE_ENV=development
-ONE_CLIENT_REPORTING_URL=/_
+ONE_CLIENT_REPORTING_URL=/_/report/errors
 # else
 ONE_CLIENT_REPORTING_URL=undefined
 ```
 
+## `ONE_CLIENT_CSP_REPORTING_URL`
+
+⚠️ Required In Production
+
+**Runs In**
+* ✅ Production
+* ✅ Development
+
+URL where browser should send [CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) errors to. Defaults to `/_/report/security/csp-violation` if `NODE_ENV` is set to
+`development` and is undefined otherwise.
+
+**Shape**
+```bash
+ONE_CLIENT_CSP_REPORTING_URL=String
+```
+
+**Example**
+```bash
+ONE_CLIENT_CSP_REPORTING_URL=https://my-app-csp-violations.example.com/client
+```
+
+**Default Value**
+```bash
+# if NODE_ENV=development
+ONE_CLIENT_CSP_REPORTING_URL=/_/report/security/csp-violation
+# else
+ONE_CLIENT_CSP_REPORTING_URL=undefined
+
+
 ## `ONE_CLIENT_ROOT_MODULE_NAME`
 
 ⚠️ Required In Production & Development
@@ -434,7 +464,7 @@ ONE_CLIENT_REPORTING_URL=undefined
 * ✅ Production
 * ✅ Development
 
-Name of the module that serves as the entry point to your application. In local development this is 
+Name of the module that serves as the entry point to your application. In local development this is
 not necessary as you can pass the [`--root-module-name` argument to `npm start`](./CLI-Commands.md#start-commands) instead.
 
 **Shape**
@@ -542,4 +572,4 @@ ONE_MAP_POLLING_MIN=0
 [`HTTPS_PUBLIC_CERT_CHAIN_PATH`]: #https_public_cert_chain_path
 [`HTTPS_TRUSTED_CA_PATH`]: #https_trusted_ca_path
 [`HTTPS_PRIVATE_KEY_PASS_FILE_PATH`]: #https_private_key_pass_file_path
-[`HTTPS_PORT`]: #https_port
+[`HTTPS_PORT`]: #https_port
diff --git a/prod-sample/one-app/base.env b/prod-sample/one-app/base.env
@@ -1,5 +1,6 @@
 HOLOCRON_MODULE_MAP_URL=https://sample-cdn.frank/module-map.json
-ONE_CLIENT_REPORTING_URL=https://one-app:8443/_
+ONE_CLIENT_REPORTING_URL=https://one-app:8443/_/report/errors
+ONE_CLIENT_CSP_REPORTING_URL=https://one-app:8443/_/report/security/csp-violation
 ONE_CLIENT_ROOT_MODULE_NAME=frank-lloyd-root
 NODE_ENV=production
 ONE_CLIENT_CDN_URL=https://sample-cdn.frank/

diff --git a/prod-sample/sample-modules/cultured-frankie/0.0.1/package.json b/prod-sample/sample-modules/cultured-frankie/0.0.1/package.json
@@ -30,4 +30,4 @@
       ]
     }
   }
-}
+}
diff --git a/prod-sample/sample-modules/frank-lloyd-root/0.0.0/src/csp.js b/prod-sample/sample-modules/frank-lloyd-root/0.0.0/src/csp.js
@@ -19,7 +19,7 @@ import ip from 'ip';
 
 export default contentSecurityPolicyBuilder({
   directives: {
-    reportUri: `${process.env.ONE_CLIENT_REPORTING_URL}/report/security/csp-violation`,
+    reportUri: process.env.ONE_CLIENT_CSP_REPORTING_URL,
     defaultSrc: [
       "'self'",
     ],

diff --git a/prod-sample/sample-modules/frank-lloyd-root/0.0.1/src/csp.js b/prod-sample/sample-modules/frank-lloyd-root/0.0.1/src/csp.js
@@ -19,7 +19,7 @@ import ip from 'ip';
 
 export default contentSecurityPolicyBuilder({
   directives: {
-    reportUri: `${process.env.ONE_CLIENT_REPORTING_URL}/report/security/csp-violation`,
+    reportUri: process.env.ONE_CLIENT_CSP_REPORTING_URL,
     defaultSrc: [
       "'self'",
     ],

diff --git a/prod-sample/sample-modules/frank-lloyd-root/0.0.2/src/csp.js b/prod-sample/sample-modules/frank-lloyd-root/0.0.2/src/csp.js
@@ -19,7 +19,7 @@ import ip from 'ip';
 
 export default contentSecurityPolicyBuilder({
   directives: {
-    reportUri: `${process.env.ONE_CLIENT_REPORTING_URL}/report/security/csp-violation`,
+    reportUri: process.env.ONE_CLIENT_CSP_REPORTING_URL,
     defaultSrc: [
       "'self'",
     ],

diff --git a/src/server/config/env/runTime.js b/src/server/config/env/runTime.js
@@ -139,7 +139,15 @@ const runTime = [
   {
     name: 'ONE_CLIENT_REPORTING_URL',
     defaultValue: () => (process.env.NODE_ENV === 'development'
-      ? `http://${ip}:${process.env.HTTP_PORT}/_`
+      ? `http://${ip}:${process.env.HTTP_PORT}/_/report/errors`
+      : undefined),
+    validate: isFetchableUrlInBrowser,
+  },
+  // where to send/report csp violations
+  {
+    name: 'ONE_CLIENT_CSP_REPORTING_URL',
+    defaultValue: () => (process.env.NODE_ENV === 'development'
+      ? `http://${ip}:${process.env.HTTP_PORT}/_/report/security/csp-violation`
       : undefined),
     validate: isFetchableUrlInBrowser,
   },

diff --git a/src/server/utils/envVarAllowList.js b/src/server/utils/envVarAllowList.js
@@ -16,6 +16,7 @@
 
 export default [
   'ONE_CLIENT_REPORTING_URL',
+  'ONE_CLIENT_CSP_REPORTING_URL',
   'ONE_CLIENT_CDN_URL',
   'ONE_CLIENT_LOCALE_FILENAME',
   'ONE_CLIENT_ROOT_MODULE_NAME',