Merge pull request #282 from HumanBrainProject/feat/csp

Introduce Content-Security-Policy to IAV

Merge pull request #282 from HumanBrainProject/feat/csp
Introduce Content-Security-Policy to IAV
5ab8cc62 · xgui3783 · GitHub · b5bb3022 · 0c104e45 · 5ab8cc62
Unverified Commit 5ab8cc62 authored 5 years ago by xgui3783 Committed by GitHub 5 years ago
--- a/deploy/app.js
+++ b/deploy/app.js
@@ -49,6 +49,11 @@ app.use(session({
  store
 }))

+/**
+ * configure CSP
+ */
+require('./csp')(app)
+
 /**
 * configure Auth
 * async function, but can start server without

--- a/deploy/csp/index.js
+++ b/deploy/csp/index.js
+const csp = require('helmet-csp')
+const bodyParser = require('body-parser')
+
+let ALLOWED_DEFAULT_SRC, DATA_SRC
+
+try {
+  ALLOWED_DEFAULT_SRC = JSON.parse(process.env.ALLOWED_DEFAULT_SRC || '[]')
+} catch (e) {
+  console.warn(`parsing ALLOWED_DEFAULT_SRC error ${process.env.ALLOWED_DEFAULT_SRC}`, e)
+  ALLOWED_DEFAULT_SRC = []
+}
+
+try {
+  DATA_SRC = JSON.parse(process.env.DATA_SRC || '[]')
+} catch (e) {
+  console.warn(`parsing DATA_SRC error ${process.env.DATA_SRC}`, e)
+  DATA_SRC = []
+}
+
+const defaultAllowedSites = [
+  "'self'",
+  '*.apps.hbp.eu',
+  '*.apps-dev.hbp.eu'
+]
+
+const dataSource = [
+  "'self'",
+  '*.humanbrainproject.org',
+  '*.humanbrainproject.eu',
+  '*.fz-juelich.de',
+  ...DATA_SRC
+]
+
+module.exports = (app) => {
+  app.use(csp({
+    directives: {
+      defaultSrc: [
+        ...defaultAllowedSites
+      ],
+      styleSrc: [
+        ...defaultAllowedSites,
+        '*.bootstrapcdn.com',
+        '*.fontawesome.com',
+        "'unsafe-inline'" // required for angular [style.xxx] bindings
+      ],
+      fontSrc: [ '*.fontawesome.com' ],
+      connectSrc: [
+        ...defaultAllowedSites,
+        ...dataSource
+      ],
+      scriptSrc:[
+        "'self'",
+        '*.apps.hbp.eu',
+        '*.apps-dev.hbp.eu',
+        '*.jquery.com',
+        '*.cloudflare.com',
+        'unpkg.com',
+        '*.unpkg.com',
+        '*.jsdelivr.net',
+        ...ALLOWED_DEFAULT_SRC
+      ],
+      reportUri: '/report-violation'
+    },
+    reportOnly: true
+  }))
+
+  app.post('/report-violation', bodyParser.json({
+    type: ['json', 'application/csp-report']
+  }), (req, res) => {
+    if (req.body) {
+      console.warn(`CSP Violation: `, req.body)
+    } else {
+      console.warn(`CSP Violation: no data received!`)
+    }
+    res.status(204).end()
+  })
+}
\ No newline at end of file
--- a/deploy/package.json
+++ b/deploy/package.json
@@ -17,6 +17,7 @@
    "body-parser": "^1.19.0",
    "express": "^4.16.4",
    "express-session": "^1.15.6",
+    "helmet-csp": "^2.8.0",
    "jszip": "^3.2.1",
    "jwt-decode": "^2.2.0",
    "memorystore": "^1.6.1",

--- a/src/index.html
+++ b/src/index.html
@@ -14,41 +14,14 @@
 </head>
 <body>
  <atlas-viewer>
-    <h1 style = "text-align:center;">
-      <span class = "homeAnimationDots loadingAnimationDots">&bull;</span>
-      <span class = "homeAnimationDots loadingAnimationDots">&bull;</span>
-      <span class = "homeAnimationDots loadingAnimationDots">&bull;</span>
+    <h1 class="text-center">
+      <span class="homeAnimationDots loadingAnimationDots">&bull;</span>
+      <span class="homeAnimationDots loadingAnimationDots">&bull;</span>
+      <span class="homeAnimationDots loadingAnimationDots">&bull;</span>
    </h1>
  </atlas-viewer>
-  <script>
-    /**
-     * Catching Safari 10 bug:
-     * 
-     * https://bugs.webkit.org/show_bug.cgi?id=171041
-     * 
-     */
-    try{
-      eval('(()=>{\
-              let e = e => {\
-                console.log(e);\
-                for(let e of [1,2,3]){\
-                  console.log(e);\
-                }\
-              }\
-          })()')
-    }catch(e){
-      console.log(e)
-      const warning = 'Your browser cannot display the interactive viewer. Please use either Chrome >= 56 and/or Firefox >= 51'
-      console.log(warning)
-      const warningEl = document.createElement('h4')
-      warningEl.innerHTML = warning
-      const el = document.getElementsByTagName('atlas-viewer')
-      if(el.length > 0){
-        document.body.removeChild(el[0])
-      }
-      document.body.appendChild(warningEl)
-    }

+  <script src="testSafari.js">
  </script>
 </body>
 </html>
--- a/src/main-aot.ts
+++ b/src/main-aot.ts
 import 'zone.js'

+import 'third_party/testSafari.js'
+
 import { platformBrowserDynamic } from '@angular/platform-browser-dynamic'
 import { MainModule } from './main.module';
 import { enableProdMode } from '@angular/core';

--- a/src/main.ts
+++ b/src/main.ts
 import 'zone.js'
 import 'reflect-metadata'
+
+import 'third_party/testSafari.js'
+
 import { platformBrowserDynamic } from '@angular/platform-browser-dynamic'
 import { MainModule } from './main.module';


--- a/third_party/testSafari.js
+++ b/third_party/testSafari.js
+
+/**
+* Catching Safari 10 bug:
+* 
+* https://bugs.webkit.org/show_bug.cgi?id=171041
+* 
+*/
+
+(function(){
+  try{
+    eval('(()=>{\
+            let e = e => {\
+              console.log(e);\
+              for(let e of [1,2,3]){\
+                console.log(e);\
+              }\
+            }\
+        })()')
+  } catch (e) {
+    console.log(e)
+    const warning = 'Your browser cannot display the interactive viewer. Please use either Chrome >= 56 and/or Firefox >= 51'
+    console.log(warning)
+    const warningEl = document.createElement('h4')
+    warningEl.innerHTML = warning
+    const el = document.getElementsByTagName('atlas-viewer')
+    if(el.length > 0){
+      document.body.removeChild(el[0])
+    }
+    document.body.appendChild(warningEl)
+  }
+})()
\ No newline at end of file
--- a/webpack.aot.js
+++ b/webpack.aot.js
@@ -19,7 +19,7 @@ module.exports = merge(staticAssets, {
  module: {
    rules: [
      {
-        test : /export_nehuba.*?\.js$|worker\.js/,
+        test : /third_party.*?\.js$|worker\.js/,
        use : {
          loader : 'file-loader',
          options: {
@@ -30,7 +30,7 @@ module.exports = merge(staticAssets, {
      {
        test: /(?:\.ngfactory\.js|\.ngstyle\.js|\.ts)$/,
        loader: '@ngtools/webpack',
-        exclude : /export_nehuba|plugin_example/
+        exclude : /third_party|plugin_example/
      },
      {
        test : /\.(html|css)$/,

--- a/webpack.common.js
+++ b/webpack.common.js
@@ -10,7 +10,7 @@ module.exports = {
        exclude : /node_modules|[Ss]pec\.ts$/
      },
      {
-        test : /export_nehuba|.*?worker.*?\.js$/,
+        test : /third_party|.*?worker.*?\.js$/,
        use : {
          loader : 'file-loader',
          options: {

--- a/webpack.export.aot.js
+++ b/webpack.export.aot.js
@@ -18,7 +18,7 @@ module.exports = {
        test: /(?:\.ngfactory\.js|\.ngstyle\.js|\.ts)$/,
        // test : /\.ts$/,
        loader: '@ngtools/webpack',
-        exclude : /export_nehuba/
+        exclude : /third_party/
      },
      {
        test : /\.(html|css)$/,