overleaf/services/web/app/src/infrastructure/CSP.js

const crypto = require('crypto')

module.exports = function({
  reportUri,
  reportOnly = false,
  exclude = [],
  percentage
}) {
  return function(req, res, next) {
    const originalRender = res.render

    res.render = (...args) => {
      // use the view path after removing any prefix up to a "views" folder
      const view = args[0].split('/views/').pop()

      // enable the CSP header for a percentage of requests
      const belowCutoff = Math.random() * 100 <= percentage

      if (belowCutoff && !exclude.includes(view)) {
        res.locals.cspEnabled = true

        const scriptNonce = crypto.randomBytes(16).toString('base64')

        res.locals.scriptNonce = scriptNonce

        const directives = [
          `script-src 'nonce-${scriptNonce}' 'unsafe-inline' 'strict-dynamic' https: 'report-sample'`,
          `object-src 'none'`,
          `base-uri 'none'`
        ]

        if (reportUri) {
          directives.push(`report-uri ${reportUri}`)
          // NOTE: implement report-to once it's more widely supported
        }

        const policy = directives.join('; ')

        // Note: https://csp-evaluator.withgoogle.com/ is useful for checking the policy

        const header = reportOnly
          ? 'Content-Security-Policy-Report-Only'
          : 'Content-Security-Policy'

        res.set(header, policy)
      }

      originalRender.apply(res, args)
    }

    next()
  }
}
Add Content-Security-Policy header (#3783) * Add Content-Security-Policy header * Add nonce attribute to script tags * Use source-map for webpack devtool * Add ng-csp attribute when CSP is enabled * Allow overriding CSP settings with environment variables * Hook into render and allow routes to disable the CSP header GitOrigin-RevId: a873736a3514198165f1b2f1e18d002b65f20d30 2021-03-25 10:02:21 -04:00			`const crypto = require('crypto')`

			`module.exports = function({`
			`reportUri,`
			`reportOnly = false,`
			`exclude = [],`
			`percentage`
			`}) {`
			`return function(req, res, next) {`
			`const originalRender = res.render`

			`res.render = (...args) => {`
			`// use the view path after removing any prefix up to a "views" folder`
			`const view = args[0].split('/views/').pop()`

			`// enable the CSP header for a percentage of requests`
			`const belowCutoff = Math.random() * 100 <= percentage`

			`if (belowCutoff && !exclude.includes(view)) {`
			`res.locals.cspEnabled = true`

			`const scriptNonce = crypto.randomBytes(16).toString('base64')`

			`res.locals.scriptNonce = scriptNonce`

			`const directives = [`
Merge pull request #3899 from overleaf/ae-csp-report-sample Add 'report-sample' to script-src CSP directive GitOrigin-RevId: 1a2c26339e7ef353a89fc264b0f186a1d313e1bc 2021-04-14 05:03:14 -04:00			`script-src 'nonce-${scriptNonce}' 'unsafe-inline' 'strict-dynamic' https: 'report-sample'`,
Add Content-Security-Policy header (#3783) * Add Content-Security-Policy header * Add nonce attribute to script tags * Use source-map for webpack devtool * Add ng-csp attribute when CSP is enabled * Allow overriding CSP settings with environment variables * Hook into render and allow routes to disable the CSP header GitOrigin-RevId: a873736a3514198165f1b2f1e18d002b65f20d30 2021-03-25 10:02:21 -04:00			`object-src 'none'`,
			`base-uri 'none'`
			`]`

			`if (reportUri) {`
			directives.push(`report-uri ${reportUri}`)
			`// NOTE: implement report-to once it's more widely supported`
			`}`

			`const policy = directives.join('; ')`

			`// Note: https://csp-evaluator.withgoogle.com/ is useful for checking the policy`

			`const header = reportOnly`
			`? 'Content-Security-Policy-Report-Only'`
			`: 'Content-Security-Policy'`

			`res.set(header, policy)`
			`}`

			`originalRender.apply(res, args)`
			`}`

			`next()`
			`}`
			`}`