Quick patch for restbase integration with local mobileapps

johngian · Jan 15, 2021 · 756b10d · 756b10d
1 parent 1f9b5da
commit 756b10d
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 12 deletions.
diff --git a/config.fullstack.test.yaml b/config.fullstack.test.yaml
@@ -19,13 +19,14 @@ default_project: &default_project
                     # 10 days Varnish caching, one day client-side
                     cache-control: s-maxage=864000, max-age=86400
                   mobileapps:
-                    host: https://mobileapps.wmflabs.org
+                    protocol: http
+                    host: http://127.0.0.1:8888
                   wikifeeds:
                     host: https://wikifeeds.wmflabs.org
                   summary:
-                    protocol: https
                     implementation: mcs
-                    host: https://mobileapps.wmflabs.org
+                    protocol: http
+                    host: http://127.0.0.1:8888
                   citoid:
                     host: https://citoid-beta.wmflabs.org
                   recommendation:
@@ -245,6 +246,7 @@ services:
     module: hyperswitch
     conf: &rb_conf
       # In production we expose both 7231 and 7233 ports from fullstack RB.
+      cors: "*"
       port: 7233
       spec: *spec_root
       salt: secret

diff --git a/lib/security_response_header_filter.js b/lib/security_response_header_filter.js
@@ -3,15 +3,7 @@
 const P = require('bluebird');
 const HTTPError = require('hyperswitch').HTTPError;
 
-const MOBILE_HTML_CSP = "default-src 'none'; " +
-    'connect-src app://*.wikipedia.org https://*.wikipedia.org; ' +
-    "media-src app://upload.wikimedia.org https://upload.wikimedia.org 'self'; " +
-    "img-src app://*.wikimedia.org https://*.wikimedia.org app://wikimedia.org https://wikimedia.org 'self' data:; " +
-    "object-src 'none'; " +
-    "script-src app://meta.wikimedia.org https://meta.wikimedia.org 'unsafe-inline'; " +
-    'style-src app://meta.wikimedia.org https://meta.wikimedia.org ' +
-    "app://*.wikipedia.org https://*.wikipedia.org 'self' 'unsafe-inline'; " +
-    "frame-ancestors 'self'";
+const MOBILE_HTML_CSP = "default-src *  data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval' 'unsafe-dynamic'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';"
 /**
  * Filter adding security-relevant response headers like CSP.
  */