Skip to content

Commit

Permalink
add nonce into scp policy (#3904)
Browse files Browse the repository at this point in the history 
* add nonce into scp policy

* change default scriptSrc

* change default settings of csp

* fix csp config

* update csp policy

* remove the useless gptad
  • Loading branch information
@ety001
ety001 committed Sep 15, 2023
1 parent b0d8278 commit a9f0bd5
Show file tree
Hide file tree
Showing 13 changed files with 65 additions and 199 deletions.
13 changes: 6 additions & 7 deletions config/default.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,16 +4,15 @@
"helmet": {
"directives": {
"childSrc": "'self' 3speak.online emb.d.tube player.twitch.tv www.youtube.com staticxx.facebook.com w.soundcloud.com player.vimeo.com",
"connectSrc": "https://steemitimages.com securepubads.g.doubleclick.net 'self' steemit.com https://api.steemit.com www.googletagmanager.com www.google-analytics.com pagead2.googlesyndication.com googleads.g.doubleclick.net",
"defaultSrc": "tpc.googlesyndication.com 'self' img.3speakcontent.online emb.d.tube www.youtube.com staticxx.facebook.com player.vimeo.com *.streamrail.com",
"fontSrc": "data: fonts.gstatic.com steemitdev.com steemit.com steemitwallet.com",
"defaultSrc": "'self' img.3speakcontent.online emb.d.tube www.youtube.com staticxx.facebook.com player.vimeo.com *.streamrail.com",
"connectSrc": "'self' https://steemitimages.com https://api.steemit.com https://api.steemitdev.com api.trongrid.io www.googletagmanager.com www.google-analytics.com pagead2.googlesyndication.com googleads.g.doubleclick.net securepubads.g.doubleclick.net",
"fontSrc": "'self' data: fonts.gstatic.com steemitdev.com steemit.com steemitwallet.com",
"frameAncestors": "'none'",
"frameSrc": "'self' googleads.g.doubleclick.net https:",
"imgSrc": "* data:",
"objectSrc": "'none'",
"pluginTypes": "application/pdf",
"scriptSrc": "'unsafe-inline' 'unsafe-eval' data: https: 'self' www.google-analytics.com www.googletagmanager.com connect.facebook.net cdn.catchjs.com",
"styleSrc": "'self' 'unsafe-inline' fonts.googleapis.com",
"objectSrc": "'self' application/pdf",
"scriptSrc": "'self' www.google-analytics.com www.googletagmanager.com connect.facebook.net *.tronads.io",
"styleSrc": "'self' fonts.googleapis.com",
"reportUri": "/api/v1/csp_violation"
},
"reportOnly": false,
Expand Down
33 changes: 7 additions & 26 deletions config/development.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,16 @@
"google_analytics_id": false,
"helmet": {
"directives": {
"childSrc": "'self' 3speak.online emb.d.tube player.twitch.tv www.youtube.com staticxx.facebook.com w.soundcloud.com player.vimeo.com",
"connectSrc": "https://steemitimages.com securepubads.g.doubleclick.net 'self' steemit.com https://api.steemit.com www.googletagmanager.com www.google-analytics.com pagead2.googlesyndication.com googleads.g.doubleclick.net",
"defaultSrc": "tpc.googlesyndication.com 'self' img.3speakcontent.online emb.d.tube www.youtube.com staticxx.facebook.com player.vimeo.com *.streamrail.com",
"fontSrc": "data: fonts.gstatic.com steemitdev.com steemit.com steemitwallet.com",
"childSrc": "'self' 3speak.online emb.d.tube player.twitch.tv www.youtube.com staticxx.facebook.com w.soundcloud.com player.vimeo.com *.tronads.io",
"defaultSrc": "'self' img.3speakcontent.online emb.d.tube www.youtube.com staticxx.facebook.com player.vimeo.com *.streamrail.com",
"connectSrc": "'self' https://steemitimages.com https://api.steemit.com https://api.steemitdev.com api.trongrid.io www.googletagmanager.com www.google-analytics.com pagead2.googlesyndication.com googleads.g.doubleclick.net securepubads.g.doubleclick.net",
"fontSrc": "'self' data: fonts.gstatic.com steemitdev.com steemit.com steemitwallet.com",
"frameAncestors": "'none'",
"frameSrc": "'self' googleads.g.doubleclick.net https:",
"imgSrc": "* data:",
"objectSrc": "'none'",
"pluginTypes": "application/pdf",
"scriptSrc": "'unsafe-inline' 'unsafe-eval' data: https: 'self' www.google-analytics.com connect.facebook.net cdn.catchjs.com",
"styleSrc": "'self' 'unsafe-inline' fonts.googleapis.com",
"objectSrc": "'self' application/pdf",
"scriptSrc": "'self' www.google-analytics.com www.googletagmanager.com connect.facebook.net *.tronads.io",
"styleSrc": "'self' fonts.googleapis.com",
"reportUri": "/api/v1/csp_violation"
},
"reportOnly": false,
Expand Down Expand Up @@ -52,24 +51,6 @@
"https://api.steem.buzz",
"https://api.futureshock.world",
"https://api.worldofxpilar.com"
// "https://api.pennsif.net",
// "https://api.upvu.org",
// "https://api.supporter.dev",
// "https://steemyy.com/node/",
// "https://api.dlike.io",
// "https://api.steem-fanbase.com",
// "https://fullsteem.3dkrender.com",
// "https://api.steemzzang.com",
// "https://api.symbionts.io",
// "https://steemd.steemworld.org",
// "https://api.steememory.com",
// "https://api.cotina.org",
// "https://steemapi.3dkrender.com",
// "https://api.protoss20.com",
// "https://rpc.amarbangla.net",
// "https://steem.senior.workers.dev",
// "https://api.campingclub.me",
// "https://api.blokfield.io"
],
"steemd_use_appbase": false,
"chain_id": "0000000000000000000000000000000000000000000000000000000000000000",
Expand Down
15 changes: 7 additions & 8 deletions config/production.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,16 @@
"google_analytics_id": false,
"helmet": {
"directives": {
"childSrc": "'self' 3speak.online emb.d.tube player.twitch.tv www.youtube.com staticxx.facebook.com w.soundcloud.com player.vimeo.com",
"connectSrc": "https://steemitimages.com securepubads.g.doubleclick.net 'self' steemit.com https://api.steemit.com www.googletagmanager.com www.google-analytics.com pagead2.googlesyndication.com googleads.g.doubleclick.net",
"defaultSrc": "tpc.googlesyndication.com 'self' img.3speakcontent.online emb.d.tube www.youtube.com staticxx.facebook.com player.vimeo.com *.streamrail.com",
"fontSrc": "data: fonts.gstatic.com steemitdev.com steemit.com steemitwallet.com",
"childSrc": "'self' 3speak.online emb.d.tube player.twitch.tv www.youtube.com staticxx.facebook.com w.soundcloud.com player.vimeo.com *.tronads.io",
"defaultSrc": "'self' img.3speakcontent.online emb.d.tube www.youtube.com staticxx.facebook.com player.vimeo.com *.streamrail.com",
"connectSrc": "'self' https://steemitimages.com https://api.steemit.com https://api.steemitdev.com api.trongrid.io www.googletagmanager.com www.google-analytics.com pagead2.googlesyndication.com googleads.g.doubleclick.net securepubads.g.doubleclick.net",
"fontSrc": "'self' data: fonts.gstatic.com steemitdev.com steemit.com steemitwallet.com",
"frameAncestors": "'none'",
"frameSrc": "'self' googleads.g.doubleclick.net https:",
"imgSrc": "* data:",
"objectSrc": "'none'",
"pluginTypes": "application/pdf",
"scriptSrc": "'unsafe-inline' 'unsafe-eval' data: https: 'self' www.google-analytics.com connect.facebook.net cdn.catchjs.com",
"styleSrc": "'self' 'unsafe-inline' fonts.googleapis.com",
"objectSrc": "'self' application/pdf",
"scriptSrc": "'self' www.google-analytics.com www.googletagmanager.com connect.facebook.net *.tronads.io",
"styleSrc": "'self' fonts.googleapis.com",
"reportUri": "/api/v1/csp_violation"
},
"reportOnly": false,
Expand Down
1 change: 0 additions & 1 deletion src/app/components/all.scss
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@
@import './elements/Dropdown';
@import './elements/Notices';
@import './elements/GoogleAd';
@import './elements/GptAd';
@import './elements/PostCategoryBanner';
@import './elements/FlagButton';
@import './elements/VideoAd';
Expand Down
9 changes: 1 addition & 8 deletions src/app/components/cards/PostsList.jsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ import LoadingIndicator from 'app/components/elements/LoadingIndicator';
import debounce from 'lodash.debounce';
import { findParent } from 'app/utils/DomUtils';
import Icon from 'app/components/elements/Icon';
import GptAd from 'app/components/elements/GptAd';
import VideoAd from 'app/components/elements/VideoAd';
import SearchUserList from 'app/components/cards/SearchUserList';
import shouldComponentUpdate from 'app/utils/shouldComponentUpdate';
Expand Down Expand Up @@ -165,13 +164,7 @@ class PostsList extends React.Component {
<div
key={`ad-${i}`}
className="articles__content-block--ad"
>
<GptAd
tags={[category]}
type="Freestar"
id="bsa-zone_1566495089502-1_123456"
/>
</div>
/>
);
}
return summary;
Expand Down
20 changes: 0 additions & 20 deletions src/app/components/modules/Header/index.jsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ import Userpic from 'app/components/elements/Userpic';
import { SIGNUP_URL } from 'shared/constants';
import SteemLogo from 'app/components/elements/SteemLogo';
import Announcement from 'app/components/elements/Announcement';
import GptAd from 'app/components/elements/GptAd';
import { Map } from 'immutable';
import ReactMutationObserver from '../../utils/ReactMutationObserver';
import LoadingIndicator from 'app/components/elements/LoadingIndicator';
Expand All @@ -48,7 +47,6 @@ class Header extends React.Component {
super(props);

this.state = {
gptAdRendered: false,
showAd: false,
showAnnouncement: this.props.showAnnouncement,
};
Expand All @@ -68,20 +66,16 @@ class Header extends React.Component {

componentDidMount() {
if (
!this.props.gptEnabled ||
!process.env.BROWSER ||
!window.googletag ||
!window.googletag.pubads
) {
return null;
}

window.addEventListener('gptadshown', e => this.gptAdRendered(e));
}

componentWillUnmount() {
if (
!this.props.gptEnabled ||
!process.env.BROWSER ||
!window.googletag ||
!window.googletag.pubads
Expand Down Expand Up @@ -129,10 +123,6 @@ class Header extends React.Component {
this.setState({ showAd: true });
}

gptAdRendered() {
this.setState({ showAd: true, gptAdRendered: true });
}

hideAnnouncement() {
this.setState({ showAnnouncement: false });
this.props.hideAnnouncement();
Expand Down Expand Up @@ -318,10 +308,8 @@ class Header extends React.Component {
value: tt('g.logout'),
},
];
showAd = false; // TODO: fix header ad overlap bug
const headerMutated = (mutation, discconnectObserver) => {
if (mutation.target.id.indexOf('google_ads_iframe_') !== -1) {
this.gptAdRendered();
if (typeof discconnectObserver === 'function') {
discconnectObserver();
}
Expand All @@ -345,14 +333,6 @@ class Header extends React.Component {
any time.
</div>*/}
{/* If announcement is shown, ad will not render unless it's in a parent div! */}
<div style={showAd ? {} : { display: 'none' }}>
<GptAd
tags={gptTags}
type="Freestar"
id="bsa-zone_1566493796250-1_123456"
/>
</div>

<nav className="row Header__nav">
<div className="small-6 medium-4 large-4 columns Header__logotype">
<Link to={logo_link}>
Expand Down
29 changes: 0 additions & 29 deletions src/app/components/pages/Post.jsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ import tt from 'counterpart';
import { serverApiRecordEvent } from 'app/utils/ServerApiClient';
import { INVEST_TOKEN_UPPERCASE } from 'app/client_config';
import { SIGNUP_URL } from 'shared/constants';
import GptAd from 'app/components/elements/GptAd';
import { isLoggedIn } from 'app/utils/UserUtil';
import { recordAdsView } from 'app/utils/ServerApiClient';
import SteemMarket from 'app/components/elements/SteemMarket';
Expand Down Expand Up @@ -251,16 +250,6 @@ class Post extends React.Component {
showNegativeComments={showNegativeComments}
onHide={this.onHideComment}
/>

{this.props.gptEnabled && showAd ? (
<div className="Post_footer__ad">
<GptAd
tags={gptTags}
type="Freestar"
id="bsa-zone_1566494240874-7_123456"
/>
</div>
) : null}
</div>
);
});
Expand Down Expand Up @@ -415,15 +404,6 @@ class Post extends React.Component {
</div>
</div>
)}
{this.props.gptEnabled && commentCount >= 5 ? (
<div className="Post_footer__ad">
<GptAd
tags={gptTags}
type="Freestar"
id="bsa-zone_1566494147292-7_123456"
/>
</div>
) : null}
<div id="#comments" className="Post_comments row hfeed">
<div className="column large-12">
<div className="Post_comments__content">
Expand Down Expand Up @@ -461,15 +441,6 @@ class Post extends React.Component {
</div>
</div>
</div>
{this.props.gptEnabled ? (
<div className="Post_footer__ad">
<GptAd
tags={gptTags}
type="Freestar"
id="bsa-zone_1566494371533-0_123456"
/>
</div>
) : null}
</div>
<div className="c-sidebr-market">
{isBrowser && !uname && <SidebarNewUsers />}
Expand Down
28 changes: 0 additions & 28 deletions src/app/components/pages/PostsIndexLayout.jsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ import SidebarLinks from 'app/components/elements/SidebarLinks';
import SidebarNewUsers from 'app/components/elements/SidebarNewUsers';
import Notices from 'app/components/elements/Notices';
import SteemMarket from 'app/components/elements/SteemMarket';
import GptAd from 'app/components/elements/GptAd';
import Topics from './Topics';
import Announcement from './Announcement';
import CommunityPane from 'app/components/elements/CommunityPane';
Expand Down Expand Up @@ -104,14 +103,6 @@ class PostsIndexLayout extends React.Component {
: 'CoinMarketPlaceIndex'
}`}
/>
{enableAds && (
<div className="sidebar-ad">
<GptAd
type="Freestar"
id="bsa-zone_1566495004689-0_123456"
/>
</div>
)}
</aside>

<aside className="c-sidebar c-sidebar--left">
Expand Down Expand Up @@ -142,25 +133,6 @@ class PostsIndexLayout extends React.Component {
ratioClass={'ratio-1-1'}
/>
)}
{enableAds && (
<div>
<div className="sidebar-ad">
<GptAd
type="Freestar"
slotName="bsa-zone_1566494461953-7_123456"
/>
</div>
<div
className="sidebar-ad"
style={{ marginTop: 20 }}
>
<GptAd
type="Freestar"
slotName="bsa-zone_1566494856923-9_123456"
/>
</div>
</div>
)}
</aside>
</div>
);
Expand Down
10 changes: 2 additions & 8 deletions src/server/app_render.jsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,14 +156,8 @@ async function appRender(ctx, locales = false, resolvedAssets = false) {
assets,
title,
meta,
shouldSeeAds: googleAds.enabled,
gptEnabled: googleAds.gptEnabled,
adClient: googleAds.client,
videoAdsEnabled: googleAds.videoAdsEnabled,
gptBidding: googleAds.gptBidding,
shouldSeeCookieConsent: cookieConsent.enabled,
cookieConsentApiKey: cookieConsent.api_key,
googleAnalyticsId: config.google_analytics_id,
google_analytics_id: config.google_analytics_id,
csp_nonce: ctx.session.cspNonce,
};
ctx.status = statusCode;
ctx.body =
Expand Down
Loading

0 comments on commit a9f0bd5

Please sign in to comment.