From c1d3b26b3e8b0d85f527851bda5d41a6b39516cf Mon Sep 17 00:00:00 2001 From: Vasco Santos Date: Tue, 3 Jan 2023 13:15:29 +0000 Subject: [PATCH] feat: add csp report endpoint (#209) --- packages/edge-gateway/src/bindings.d.ts | 1 + packages/edge-gateway/src/gateway.js | 33 ++++++++++++++++--------- packages/edge-gateway/wrangler.toml | 2 ++ 3 files changed, 25 insertions(+), 11 deletions(-) diff --git a/packages/edge-gateway/src/bindings.d.ts b/packages/edge-gateway/src/bindings.d.ts index a748d9b..2024e7b 100644 --- a/packages/edge-gateway/src/bindings.d.ts +++ b/packages/edge-gateway/src/bindings.d.ts @@ -11,6 +11,7 @@ export interface EnvInput { LOKI_TOKEN?: string EDGE_GATEWAY: Fetcher GATEWAY_HOSTNAME: string + CSP_REPORT_URI: string GOODBITSLIST: KVNamespace } diff --git a/packages/edge-gateway/src/gateway.js b/packages/edge-gateway/src/gateway.js index 22802d1..5855e1a 100644 --- a/packages/edge-gateway/src/gateway.js +++ b/packages/edge-gateway/src/gateway.js @@ -13,6 +13,11 @@ const IPFS_GATEWAYS = [ 'https://ipfs.io/ipfs/', ] const DOTSTORAGE_APIS = ['https://*.web3.storage', 'https://*.nft.storage'] +const ALLOWED_LIST = [ + 'https://*.githubusercontent.com', + 'https://polygon-rpc.com', + 'https://rpc.testnet.fantom.network', +] /** * Handle gateway requests @@ -50,7 +55,7 @@ export async function gatewayGet(request, env) { return response } - return getTransformedResponseWithCspHeaders(response) + return getTransformedResponseWithCspHeaders(response, env) } /** @@ -58,23 +63,29 @@ export async function gatewayGet(request, env) { * Content-Security-Policy header specified to only allow requests within same origin. * * @param {Response} response + * @param {import('./bindings').Env} env */ -function getTransformedResponseWithCspHeaders(response) { +function getTransformedResponseWithCspHeaders(response, env) { const clonedResponse = new Response(response.body, response) + const defaultSrc = `'self' 'unsafe-inline' 'unsafe-eval' blob: data: ${IPFS_GATEWAYS.join( + ' ' + )} ${DOTSTORAGE_APIS.join(' ')} ${ALLOWED_LIST.join(' ')}` + const connectSrc = `'self' blob: data: ${IPFS_GATEWAYS.join( + ' ' + )} ${DOTSTORAGE_APIS.join(' ')} ${ALLOWED_LIST.join(' ')}` + const reportUri = env.CSP_REPORT_URI clonedResponse.headers.set( 'content-security-policy', - `default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ${IPFS_GATEWAYS.join( - ' ' - )} ${DOTSTORAGE_APIS.join( - ' ' - )} https://*.githubusercontent.com; form-action 'self'; navigate-to 'self'; connect-src 'self' blob: data: ${IPFS_GATEWAYS.join( - ' ' - )} ${DOTSTORAGE_APIS.join( - ' ' - )} https://polygon-rpc.com https://rpc.testnet.fantom.network` + `default-src ${defaultSrc} ; form-action 'self'; navigate-to 'self'; connect-src ${connectSrc} ; report-to csp-endpoint ; report-uri ${reportUri}` ) + reportUri && + clonedResponse.headers.set( + 'reporting-endpoints', + `csp-endpoint="${reportUri}"` + ) + return clonedResponse } diff --git a/packages/edge-gateway/wrangler.toml b/packages/edge-gateway/wrangler.toml index 86e3e73..c937dfd 100644 --- a/packages/edge-gateway/wrangler.toml +++ b/packages/edge-gateway/wrangler.toml @@ -32,6 +32,7 @@ kv_namespaces = [ [env.production.vars] GATEWAY_HOSTNAME = 'ipfs.nftstorage.link' +CSP_REPORT_URI = 'https://csp-report-to.web3.storage' DEBUG = "false" ENV = "production" @@ -58,6 +59,7 @@ kv_namespaces = [ [env.staging.vars] GATEWAY_HOSTNAME = 'ipfs-staging.nftstorage.link' +CSP_REPORT_URI = 'https://staging.csp-report-to.web3.storage' DEBUG = "true" ENV = "staging"