From 5516f7d27d5f55cfce82591174fc49d8767dc330 Mon Sep 17 00:00:00 2001
From: Caleb Evans <caleb@calebevans.me>
Date: Sat, 25 Dec 2021 13:54:28 -0800
Subject: [PATCH] Add missing Content Security Policy (CSP)

---
 app/server/express-server.js | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/app/server/express-server.js b/app/server/express-server.js
index c6f5715..7d37bc4 100644
--- a/app/server/express-server.js
+++ b/app/server/express-server.js
@@ -14,7 +14,23 @@ if (process.env.NODE_ENV === 'production') {
   app.enable('trust proxy');
   app.use(expressEnforcesSSL());
 }
-app.use(helmet());
+app.use(helmet({
+  contentSecurityPolicy: {
+    useDefaults: true,
+    directives: {
+      /* eslint-disable quotes */
+      'default-src': ["'none'"],
+      'style-src': ["'self'"],
+      'img-src': ["'self'"],
+      'font-src': ["'self'", 'https://*.gstatic.com', 'data:'],
+      'script-src': ["'self'", "'unsafe-inline'", 'https://storage.googleapis.com', 'https://www.google-analytics.com'],
+      'child-src': ["'self'"],
+      'connect-src': ["'self'"],
+      'manifest-src': ["'self'"]
+      /* eslint-enable quotes */
+    }
+  }
+}));
 
 // Serve assets using gzip compression
 app.use(compression());