From e81a547fbad2d743f0ba4871687025e4493dee1e Mon Sep 17 00:00:00 2001
From: Petr Pchelko <ppchelko@wikimedia.org>
Date: Thu, 25 Jul 2019 10:02:37 -0700
Subject: [PATCH] Set proper CSP headers for mobile-html.

Bug: https://phabricator.wikimedia.org/T229016
Change-Id: I9dfd093e7f91d3dad8bdac63841d8b55e8a90aa1
---
 lib/security_response_header_filter.js | 15 +++++++++++++++
 v1/pcs/mobile-html.yaml                |  2 ++
 2 files changed, 17 insertions(+)

diff --git a/lib/security_response_header_filter.js b/lib/security_response_header_filter.js
index cd157eb5d..7d6e378e7 100644
--- a/lib/security_response_header_filter.js
+++ b/lib/security_response_header_filter.js
@@ -3,6 +3,14 @@
 const P = require('bluebird');
 const HTTPError = require('hyperswitch').HTTPError;
 
+const MOBILE_CSP = "default-src 'none'; " +
+    'connect-src https://*.wikipedia.org; ' +
+    'media-src *; ' +
+    'img-src * data:; ' +
+    "script-src app://meta.wikimedia.org https://meta.wikimedia.org 'unsafe-inline'; " +
+    'style-src app://meta.wikimedia.org https://meta.wikimedia.org ' +
+    "app://*.wikipedia.org https://*.wikipedia.org 'self' 'unsafe-inline'; " +
+    "frame-ancestors 'self'";
 /**
  * Filter adding security-relevant response headers like CSP.
  */
@@ -83,6 +91,13 @@ module.exports = function addCSPHeaders(hyper, req, next, options) {
             // XXX: Re-consider this policy
             if (rh['content-security-policy']) {
                 csp = rh['content-security-policy'];
+            } else if (options.mobile) {
+                // TODO: This is a copy-paste from MCS. T229016
+                // In future we would want MCS to manage it's storage,
+                // but currently we can not store special CSP as changing them would require
+                // truncating all the stored content. So we have no option other then
+                // setting them explicitly in RESTBase code.
+                csp = MOBILE_CSP;
             } else {
                 // Our main production clients will ignore CSP anyway (by loading via
                 // XHR or fetch), so we need to sanitize our HTML assuming that no
diff --git a/v1/pcs/mobile-html.yaml b/v1/pcs/mobile-html.yaml
index d44404780..eb9ec7992 100644
--- a/v1/pcs/mobile-html.yaml
+++ b/v1/pcs/mobile-html.yaml
@@ -17,6 +17,8 @@ paths:
         options:
           redirect_cache_control: '{{options.response_cache_control}}'
       - path: lib/security_response_header_filter.js
+        options:
+          mobile: true
     get: &mobile-html_title_revision_get_spec
       tags:
         - Page content