diff --git a/deploy/app.js b/deploy/app.js
index 210e2ac9a32f39229d1f377025c8a1373760603a..454cb475b06ea437929fe59f6e75e504d639ac93 100644
--- a/deploy/app.js
+++ b/deploy/app.js
@@ -49,6 +49,11 @@ app.use(session({
store
}))
+/**
+ * configure CSP
+ */
+require('./csp')(app)
+
/**
* configure Auth
* async function, but can start server without
diff --git a/deploy/csp/index.js b/deploy/csp/index.js
new file mode 100644
index 0000000000000000000000000000000000000000..63aec6df1a72b80f4810a8d9c22b2e7a0798951c
--- /dev/null
+++ b/deploy/csp/index.js
@@ -0,0 +1,77 @@
+const csp = require('helmet-csp')
+const bodyParser = require('body-parser')
+
+let ALLOWED_DEFAULT_SRC, DATA_SRC
+
+try {
+ ALLOWED_DEFAULT_SRC = JSON.parse(process.env.ALLOWED_DEFAULT_SRC || '[]')
+} catch (e) {
+ console.warn(`parsing ALLOWED_DEFAULT_SRC error ${process.env.ALLOWED_DEFAULT_SRC}`, e)
+ ALLOWED_DEFAULT_SRC = []
+}
+
+try {
+ DATA_SRC = JSON.parse(process.env.DATA_SRC || '[]')
+} catch (e) {
+ console.warn(`parsing DATA_SRC error ${process.env.DATA_SRC}`, e)
+ DATA_SRC = []
+}
+
+const defaultAllowedSites = [
+ "'self'",
+ '*.apps.hbp.eu',
+ '*.apps-dev.hbp.eu'
+]
+
+const dataSource = [
+ "'self'",
+ '*.humanbrainproject.org',
+ '*.humanbrainproject.eu',
+ '*.fz-juelich.de',
+ ...DATA_SRC
+]
+
+module.exports = (app) => {
+ app.use(csp({
+ directives: {
+ defaultSrc: [
+ ...defaultAllowedSites
+ ],
+ styleSrc: [
+ ...defaultAllowedSites,
+ '*.bootstrapcdn.com',
+ '*.fontawesome.com',
+ "'unsafe-inline'" // required for angular [style.xxx] bindings
+ ],
+ fontSrc: [ '*.fontawesome.com' ],
+ connectSrc: [
+ ...defaultAllowedSites,
+ ...dataSource
+ ],
+ scriptSrc:[
+ "'self'",
+ '*.apps.hbp.eu',
+ '*.apps-dev.hbp.eu',
+ '*.jquery.com',
+ '*.cloudflare.com',
+ 'unpkg.com',
+ '*.unpkg.com',
+ '*.jsdelivr.net',
+ ...ALLOWED_DEFAULT_SRC
+ ],
+ reportUri: '/report-violation'
+ },
+ reportOnly: true
+ }))
+
+ app.post('/report-violation', bodyParser.json({
+ type: ['json', 'application/csp-report']
+ }), (req, res) => {
+ if (req.body) {
+ console.warn(`CSP Violation: `, req.body)
+ } else {
+ console.warn(`CSP Violation: no data received!`)
+ }
+ res.status(204).end()
+ })
+}
\ No newline at end of file
diff --git a/deploy/package.json b/deploy/package.json
index a1d2f4121597df333198cedf3a0be87749356fa2..2d33823ef6a544b335a6a6edfc2096456b09419c 100644
--- a/deploy/package.json
+++ b/deploy/package.json
@@ -17,6 +17,7 @@
"body-parser": "^1.19.0",
"express": "^4.16.4",
"express-session": "^1.15.6",
+ "helmet-csp": "^2.8.0",
"jszip": "^3.2.1",
"jwt-decode": "^2.2.0",
"memorystore": "^1.6.1",
diff --git a/src/index.html b/src/index.html
index e8c99ff3b3da1efe140cddeb3466f0de7ba47c1f..c0c9c594f700b0fe55a83c70d2834370852d40cf 100644
--- a/src/index.html
+++ b/src/index.html
@@ -14,41 +14,14 @@
</head>
<body>
<atlas-viewer>
- <h1 style = "text-align:center;">
- <span class = "homeAnimationDots loadingAnimationDots">•</span>
- <span class = "homeAnimationDots loadingAnimationDots">•</span>
- <span class = "homeAnimationDots loadingAnimationDots">•</span>
+ <h1 class="text-center">
+ <span class="homeAnimationDots loadingAnimationDots">•</span>
+ <span class="homeAnimationDots loadingAnimationDots">•</span>
+ <span class="homeAnimationDots loadingAnimationDots">•</span>
</h1>
</atlas-viewer>
- <script>
- /**
- * Catching Safari 10 bug:
- *
- * https://bugs.webkit.org/show_bug.cgi?id=171041
- *
- */
- try{
- eval('(()=>{\
- let e = e => {\
- console.log(e);\
- for(let e of [1,2,3]){\
- console.log(e);\
- }\
- }\
- })()')
- }catch(e){
- console.log(e)
- const warning = 'Your browser cannot display the interactive viewer. Please use either Chrome >= 56 and/or Firefox >= 51'
- console.log(warning)
- const warningEl = document.createElement('h4')
- warningEl.innerHTML = warning
- const el = document.getElementsByTagName('atlas-viewer')
- if(el.length > 0){
- document.body.removeChild(el[0])
- }
- document.body.appendChild(warningEl)
- }
+ <script src="testSafari.js">
</script>
</body>
</html>
diff --git a/src/main-aot.ts b/src/main-aot.ts
index 7c25c3f1aa849b9ea8265c99ffce474f78142635..d08b57c5c399ec7276603381e62b8d87034762ff 100644
--- a/src/main-aot.ts
+++ b/src/main-aot.ts
@@ -1,5 +1,7 @@
import 'zone.js'
+import 'third_party/testSafari.js'
+
import { platformBrowserDynamic } from '@angular/platform-browser-dynamic'
import { MainModule } from './main.module';
import { enableProdMode } from '@angular/core';
diff --git a/src/main.ts b/src/main.ts
index c1c1f32e340242fc556c097b7351f8b2cd28e277..039f4efc7e3c2cac31b7a009744fda7acdc7a660 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -1,5 +1,8 @@
import 'zone.js'
import 'reflect-metadata'
+
+import 'third_party/testSafari.js'
+
import { platformBrowserDynamic } from '@angular/platform-browser-dynamic'
import { MainModule } from './main.module';
diff --git a/third_party/testSafari.js b/third_party/testSafari.js
new file mode 100644
index 0000000000000000000000000000000000000000..b56fa557b4dabeba4f993200723d8bb5bb21673e
--- /dev/null
+++ b/third_party/testSafari.js
@@ -0,0 +1,31 @@
+
+/**
+* Catching Safari 10 bug:
+*
+* https://bugs.webkit.org/show_bug.cgi?id=171041
+*
+*/
+
+(function(){
+ try{
+ eval('(()=>{\
+ let e = e => {\
+ console.log(e);\
+ for(let e of [1,2,3]){\
+ console.log(e);\
+ }\
+ }\
+ })()')
+ } catch (e) {
+ console.log(e)
+ const warning = 'Your browser cannot display the interactive viewer. Please use either Chrome >= 56 and/or Firefox >= 51'
+ console.log(warning)
+ const warningEl = document.createElement('h4')
+ warningEl.innerHTML = warning
+ const el = document.getElementsByTagName('atlas-viewer')
+ if(el.length > 0){
+ document.body.removeChild(el[0])
+ }
+ document.body.appendChild(warningEl)
+ }
+})()
\ No newline at end of file
diff --git a/webpack.aot.js b/webpack.aot.js
index 0b8ac221109bc3d7a1868e4779576f6190b71b1c..8c815798d118033bf6a7662bbf4e32980cbd74d1 100644
--- a/webpack.aot.js
+++ b/webpack.aot.js
@@ -19,7 +19,7 @@ module.exports = merge(staticAssets, {
module: {
rules: [
{
- test : /export_nehuba.*?\.js$|worker\.js/,
+ test : /third_party.*?\.js$|worker\.js/,
use : {
loader : 'file-loader',
options: {
@@ -30,7 +30,7 @@ module.exports = merge(staticAssets, {
{
test: /(?:\.ngfactory\.js|\.ngstyle\.js|\.ts)$/,
loader: '@ngtools/webpack',
- exclude : /export_nehuba|plugin_example/
+ exclude : /third_party|plugin_example/
},
{
test : /\.(html|css)$/,
diff --git a/webpack.common.js b/webpack.common.js
index aafad55efaecb04b6f4684048c5fc6e91479d946..9f680d8ef445b10c2a672197ea510f1dba6033c8 100644
--- a/webpack.common.js
+++ b/webpack.common.js
@@ -10,7 +10,7 @@ module.exports = {
exclude : /node_modules|[Ss]pec\.ts$/
},
{
- test : /export_nehuba|.*?worker.*?\.js$/,
+ test : /third_party|.*?worker.*?\.js$/,
use : {
loader : 'file-loader',
options: {
diff --git a/webpack.export.aot.js b/webpack.export.aot.js
index 8421c23bfbf643fbf0926c5e4d6e689d0a984200..fda5c27b38cc2f8a9208ea0db0b72110359510ab 100644
--- a/webpack.export.aot.js
+++ b/webpack.export.aot.js
@@ -18,7 +18,7 @@ module.exports = {
test: /(?:\.ngfactory\.js|\.ngstyle\.js|\.ts)$/,
// test : /\.ts$/,
loader: '@ngtools/webpack',
- exclude : /export_nehuba/
+ exclude : /third_party/
},
{
test : /\.(html|css)$/,