overleaf/services/web/app/src/infrastructure/CSP.js

const crypto = require('crypto')
const path = require('path')

module.exports = function ({
  reportUri,
  reportPercentage,
  reportOnly = false,
  exclude = [],
  percentage
}) {
  return function (req, res, next) {
    const originalRender = res.render

    res.render = (...args) => {
      const view = relativeViewPath(args[0])

      // enable the CSP header for a percentage of requests
      const belowCutoff = Math.random() * 100 <= percentage

      if (belowCutoff && !exclude.includes(view)) {
        res.locals.cspEnabled = true

        const scriptNonce = crypto.randomBytes(16).toString('base64')

        res.locals.scriptNonce = scriptNonce

        const directives = [
          `script-src 'nonce-${scriptNonce}' 'unsafe-inline' 'strict-dynamic' https: 'report-sample'`,
          `object-src 'none'`,
          `base-uri 'none'`
        ]

        // enable the report URI for a percentage of CSP-enabled requests
        const belowReportCutoff = Math.random() * 100 <= reportPercentage

        if (reportUri && belowReportCutoff) {
          directives.push(`report-uri ${reportUri}`)
          // NOTE: implement report-to once it's more widely supported
        }

        const policy = directives.join('; ')

        // Note: https://csp-evaluator.withgoogle.com/ is useful for checking the policy

        const header = reportOnly
          ? 'Content-Security-Policy-Report-Only'
          : 'Content-Security-Policy'

        res.set(header, policy)
      }

      originalRender.apply(res, args)
    }

    next()
  }
}

const webRoot = path.resolve(__dirname, '..', '..', '..')

// build the view path relative to the web root
function relativeViewPath(view) {
  return path.isAbsolute(view)
    ? path.relative(webRoot, view)
    : path.join('app', 'views', view)
}
Add Content-Security-Policy header (#3783) * Add Content-Security-Policy header * Add nonce attribute to script tags * Use source-map for webpack devtool * Add ng-csp attribute when CSP is enabled * Allow overriding CSP settings with environment variables * Hook into render and allow routes to disable the CSP header GitOrigin-RevId: a873736a3514198165f1b2f1e18d002b65f20d30 2021-03-25 10:02:21 -04:00			`const crypto = require('crypto')`
Use the full (relative) view path for CSP exclusion (#3916) GitOrigin-RevId: f6828a447abcc550f0c7dfd0fc6fc72f4b5b1f7e 2021-04-16 05:38:12 -04:00			`const path = require('path')`
Add Content-Security-Policy header (#3783) * Add Content-Security-Policy header * Add nonce attribute to script tags * Use source-map for webpack devtool * Add ng-csp attribute when CSP is enabled * Allow overriding CSP settings with environment variables * Hook into render and allow routes to disable the CSP header GitOrigin-RevId: a873736a3514198165f1b2f1e18d002b65f20d30 2021-03-25 10:02:21 -04:00
Merge pull request #3495 from overleaf/ae-prettier-2 Upgrade Prettier to v2 GitOrigin-RevId: 85aa3fa1acb6332c4f58c46165a43d1a51471f33 2021-04-14 09:17:21 -04:00			`module.exports = function ({`
Add Content-Security-Policy header (#3783) * Add Content-Security-Policy header * Add nonce attribute to script tags * Use source-map for webpack devtool * Add ng-csp attribute when CSP is enabled * Allow overriding CSP settings with environment variables * Hook into render and allow routes to disable the CSP header GitOrigin-RevId: a873736a3514198165f1b2f1e18d002b65f20d30 2021-03-25 10:02:21 -04:00			`reportUri,`
Merge pull request #3933 from overleaf/ae-csp-report-percentage Add CSP_REPORT_PERCENTAGE GitOrigin-RevId: 4afde0da6e3660c83df8c5c9cd31a3f246e9e572 2021-04-21 08:48:25 -04:00			`reportPercentage,`
Add Content-Security-Policy header (#3783) * Add Content-Security-Policy header * Add nonce attribute to script tags * Use source-map for webpack devtool * Add ng-csp attribute when CSP is enabled * Allow overriding CSP settings with environment variables * Hook into render and allow routes to disable the CSP header GitOrigin-RevId: a873736a3514198165f1b2f1e18d002b65f20d30 2021-03-25 10:02:21 -04:00			`reportOnly = false,`
			`exclude = [],`
			`percentage`
			`}) {`
Merge pull request #3495 from overleaf/ae-prettier-2 Upgrade Prettier to v2 GitOrigin-RevId: 85aa3fa1acb6332c4f58c46165a43d1a51471f33 2021-04-14 09:17:21 -04:00			`return function (req, res, next) {`
Add Content-Security-Policy header (#3783) * Add Content-Security-Policy header * Add nonce attribute to script tags * Use source-map for webpack devtool * Add ng-csp attribute when CSP is enabled * Allow overriding CSP settings with environment variables * Hook into render and allow routes to disable the CSP header GitOrigin-RevId: a873736a3514198165f1b2f1e18d002b65f20d30 2021-03-25 10:02:21 -04:00			`const originalRender = res.render`

			`res.render = (...args) => {`
Use the full (relative) view path for CSP exclusion (#3916) GitOrigin-RevId: f6828a447abcc550f0c7dfd0fc6fc72f4b5b1f7e 2021-04-16 05:38:12 -04:00			`const view = relativeViewPath(args[0])`
Add Content-Security-Policy header (#3783) * Add Content-Security-Policy header * Add nonce attribute to script tags * Use source-map for webpack devtool * Add ng-csp attribute when CSP is enabled * Allow overriding CSP settings with environment variables * Hook into render and allow routes to disable the CSP header GitOrigin-RevId: a873736a3514198165f1b2f1e18d002b65f20d30 2021-03-25 10:02:21 -04:00
			`// enable the CSP header for a percentage of requests`
			`const belowCutoff = Math.random() * 100 <= percentage`

			`if (belowCutoff && !exclude.includes(view)) {`
			`res.locals.cspEnabled = true`

			`const scriptNonce = crypto.randomBytes(16).toString('base64')`

			`res.locals.scriptNonce = scriptNonce`

			`const directives = [`
Merge pull request #3899 from overleaf/ae-csp-report-sample Add 'report-sample' to script-src CSP directive GitOrigin-RevId: 1a2c26339e7ef353a89fc264b0f186a1d313e1bc 2021-04-14 05:03:14 -04:00			`script-src 'nonce-${scriptNonce}' 'unsafe-inline' 'strict-dynamic' https: 'report-sample'`,
Add Content-Security-Policy header (#3783) * Add Content-Security-Policy header * Add nonce attribute to script tags * Use source-map for webpack devtool * Add ng-csp attribute when CSP is enabled * Allow overriding CSP settings with environment variables * Hook into render and allow routes to disable the CSP header GitOrigin-RevId: a873736a3514198165f1b2f1e18d002b65f20d30 2021-03-25 10:02:21 -04:00			`object-src 'none'`,
			`base-uri 'none'`
			`]`

Merge pull request #3933 from overleaf/ae-csp-report-percentage Add CSP_REPORT_PERCENTAGE GitOrigin-RevId: 4afde0da6e3660c83df8c5c9cd31a3f246e9e572 2021-04-21 08:48:25 -04:00			`// enable the report URI for a percentage of CSP-enabled requests`
			`const belowReportCutoff = Math.random() * 100 <= reportPercentage`

			`if (reportUri && belowReportCutoff) {`
Add Content-Security-Policy header (#3783) * Add Content-Security-Policy header * Add nonce attribute to script tags * Use source-map for webpack devtool * Add ng-csp attribute when CSP is enabled * Allow overriding CSP settings with environment variables * Hook into render and allow routes to disable the CSP header GitOrigin-RevId: a873736a3514198165f1b2f1e18d002b65f20d30 2021-03-25 10:02:21 -04:00			directives.push(`report-uri ${reportUri}`)
			`// NOTE: implement report-to once it's more widely supported`
			`}`

			`const policy = directives.join('; ')`

			`// Note: https://csp-evaluator.withgoogle.com/ is useful for checking the policy`

			`const header = reportOnly`
			`? 'Content-Security-Policy-Report-Only'`
			`: 'Content-Security-Policy'`

			`res.set(header, policy)`
			`}`

			`originalRender.apply(res, args)`
			`}`

			`next()`
			`}`
			`}`
Use the full (relative) view path for CSP exclusion (#3916) GitOrigin-RevId: f6828a447abcc550f0c7dfd0fc6fc72f4b5b1f7e 2021-04-16 05:38:12 -04:00
			`const webRoot = path.resolve(__dirname, '..', '..', '..')`

			`// build the view path relative to the web root`
			`function relativeViewPath(view) {`
			`return path.isAbsolute(view)`
			`? path.relative(webRoot, view)`
			`: path.join('app', 'views', view)`
			`}`