Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[PWA-680] Webpagetest security score is too low (#2548)
* Test some inline definitions to see if this passes the WPT scan * feat(targets): Add target for editing UPWARD definitions * - Move security definitions into a new package - Write an interceptor that injects them into the app shell * Add new package to docker configs * Fix to version and add clean script * Update packages/extensions/upward-security-headers/intercept.js Co-authored-by: James Zetlen <jzetlen@adobe.com> * Fix failing test * Fix for scaffolding to support packages in extensions directory * Implement PR suggestions * Fixup failing test * Add Braintree to CSP rule Co-authored-by: James Zetlen <jzetlen@adobe.com> Co-authored-by: Devagouda <40405790+dpatil-magento@users.noreply.github.com>
- Loading branch information
1 parent
407617e
commit 77ab096
Showing
15 changed files
with
190 additions
and
41 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
const SECURITY_HEADER_DEFINITION = 'veniaSecurityHeaders'; | ||
|
||
module.exports = targets => { | ||
const builtins = targets.of('@magento/pwa-buildpack'); | ||
|
||
builtins.specialFeatures.tap(features => { | ||
features[targets.name] = { upward: true }; | ||
}); | ||
|
||
builtins.transformUpward.tapPromise(async definitions => { | ||
if (!definitions[SECURITY_HEADER_DEFINITION]) { | ||
throw new Error( | ||
`${ | ||
targets.name | ||
} could not find its own definition in the emitted upward.yml` | ||
); | ||
} | ||
|
||
const shellHeaders = definitions.veniaAppShell.inline.headers.inline; | ||
const securityHeaders = definitions[SECURITY_HEADER_DEFINITION].inline; | ||
|
||
for (const name of Object.keys(securityHeaders)) { | ||
shellHeaders[name] = `${SECURITY_HEADER_DEFINITION}.${name}`; | ||
} | ||
}); | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
{ | ||
"name": "@magento/upward-security-headers", | ||
"version": "0.0.1", | ||
"publishConfig": { | ||
"access": "public" | ||
}, | ||
"description": "Add security headers to UPWARD", | ||
"main": "intercept.js", | ||
"scripts": { | ||
"clean": " " | ||
}, | ||
"repository": "github:magento/pwa-studio", | ||
"author": "Magento Commerce", | ||
"license": "(OSL-3.0 OR AFL-3.0)", | ||
"peerDependencies": { | ||
"@magento/pwa-buildpack": "^5.1.1", | ||
"@magento/venia-ui": "^3.0.0", | ||
"rimraf": "~2.6.3", | ||
"webpack": "~4.38.0" | ||
}, | ||
"pwa-studio": { | ||
"targets": { | ||
"intercept": "./intercept" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
veniaSecurityHeaders: | ||
resolver: inline | ||
inline: | ||
content-security-policy: | ||
resolver: template | ||
engine: mustache | ||
provide: | ||
backend: env.MAGENTO_BACKEND_URL | ||
template: | ||
resolver: conditional | ||
when: | ||
- matches: env.NODE_ENV | ||
pattern: development | ||
use: | ||
inline: "" | ||
default: | ||
inline: "script-src http: https: {{ backend }}; style-src 'self' https: 'unsafe-inline' {{ backend }}; img-src data: http: https:; object-src 'none'; base-uri 'none'; child-src 'self'; font-src 'self' fonts.gstatic.com; frame-src assets.braintreegateway.com" | ||
strict-transport-security: | ||
inline: max-age=31536000 | ||
x-content-type-options: | ||
inline: nosniff | ||
x-frame-options: | ||
inline: SAMEORIGIN | ||
x-xss-protection: | ||
inline: '1; mode=block' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters