feat: add csp report endpoint (#209)

nftstorage · Jan 3, 2023 · c1d3b26 · c1d3b26
1 parent b2b1c85
commit c1d3b26
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 11 deletions.
diff --git a/packages/edge-gateway/src/bindings.d.ts b/packages/edge-gateway/src/bindings.d.ts
@@ -11,6 +11,7 @@ export interface EnvInput {
   LOKI_TOKEN?: string
   EDGE_GATEWAY: Fetcher
   GATEWAY_HOSTNAME: string
+  CSP_REPORT_URI: string
   GOODBITSLIST: KVNamespace
 }
 

diff --git a/packages/edge-gateway/src/gateway.js b/packages/edge-gateway/src/gateway.js
@@ -13,6 +13,11 @@ const IPFS_GATEWAYS = [
   'https://ipfs.io/ipfs/',
 ]
 const DOTSTORAGE_APIS = ['https://*.web3.storage', 'https://*.nft.storage']
+const ALLOWED_LIST = [
+  'https://*.githubusercontent.com',
+  'https://polygon-rpc.com',
+  'https://rpc.testnet.fantom.network',
+]
 
 /**
  * Handle gateway requests
@@ -50,31 +55,37 @@ export async function gatewayGet(request, env) {
     return response
   }
 
-  return getTransformedResponseWithCspHeaders(response)
+  return getTransformedResponseWithCspHeaders(response, env)
 }
 
 /**
  * Transforms response with custom headers.
  * Content-Security-Policy header specified to only allow requests within same origin.
  *
  * @param {Response} response
+ * @param {import('./bindings').Env} env
  */
-function getTransformedResponseWithCspHeaders(response) {
+function getTransformedResponseWithCspHeaders(response, env) {
   const clonedResponse = new Response(response.body, response)
+  const defaultSrc = `'self' 'unsafe-inline' 'unsafe-eval' blob: data: ${IPFS_GATEWAYS.join(
+    ' '
+  )} ${DOTSTORAGE_APIS.join(' ')} ${ALLOWED_LIST.join(' ')}`
+  const connectSrc = `'self' blob: data: ${IPFS_GATEWAYS.join(
+    ' '
+  )} ${DOTSTORAGE_APIS.join(' ')} ${ALLOWED_LIST.join(' ')}`
+  const reportUri = env.CSP_REPORT_URI
 
   clonedResponse.headers.set(
     'content-security-policy',
-    `default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ${IPFS_GATEWAYS.join(
-      ' '
-    )} ${DOTSTORAGE_APIS.join(
-      ' '
-    )} https://*.githubusercontent.com; form-action 'self'; navigate-to 'self'; connect-src 'self' blob: data: ${IPFS_GATEWAYS.join(
-      ' '
-    )} ${DOTSTORAGE_APIS.join(
-      ' '
-    )} https://polygon-rpc.com https://rpc.testnet.fantom.network`
+    `default-src ${defaultSrc} ; form-action 'self'; navigate-to 'self'; connect-src ${connectSrc} ; report-to csp-endpoint ; report-uri ${reportUri}`
   )
 
+  reportUri &&
+    clonedResponse.headers.set(
+      'reporting-endpoints',
+      `csp-endpoint="${reportUri}"`
+    )
+
   return clonedResponse
 }
 

diff --git a/packages/edge-gateway/wrangler.toml b/packages/edge-gateway/wrangler.toml
@@ -32,6 +32,7 @@ kv_namespaces = [
 
 [env.production.vars]
 GATEWAY_HOSTNAME = 'ipfs.nftstorage.link'
+CSP_REPORT_URI = 'https://csp-report-to.web3.storage'
 DEBUG = "false"
 ENV = "production"
 
@@ -58,6 +59,7 @@ kv_namespaces = [
 
 [env.staging.vars]
 GATEWAY_HOSTNAME = 'ipfs-staging.nftstorage.link'
+CSP_REPORT_URI = 'https://staging.csp-report-to.web3.storage'
 DEBUG = "true"
 ENV = "staging"