github/overleaf
1
0
Fork 0
mirror of https://github.com/overleaf/overleaf.git synced 2024-11-21 20:47:08 -05:00
Code Issues Projects Releases Packages Wiki Activity

Allow additional CSP directives to be defined for specific views (#19550)

Browse source 
GitOrigin-RevId: 19bf1004479b5106e64e9c13d58d69e328cc12f1
This commit is contained in:
Alf Eaton 2024-10-03 13:04:46 +01:00 committed by Copybot
parent 17e8c70069
commit c91d99de80
2 changed files with 17 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
services/web/app/src/infrastructure/CSP.js
View file

@ -6,6 +6,7 @@ module.exports = function ({
reportPercentage, reportPercentage,
reportOnly = false, reportOnly = false,
exclude = [], exclude = [],
viewDirectives = {},
}) { }) {
const header = reportOnly const header = reportOnly
? 'Content-Security-Policy-Report-Only' ? 'Content-Security-Policy-Report-Only'
@ -37,7 +38,12 @@ module.exports = function ({
res.locals.scriptNonce = scriptNonce res.locals.scriptNonce = scriptNonce
const policy = buildViewPolicy(scriptNonce, reportPercentage, reportUri) const policy = buildViewPolicy(
scriptNonce,
reportPercentage,
reportUri,
viewDirectives[view]
)
// Note: https://csp-evaluator.withgoogle.com/ is useful for checking the policy // Note: https://csp-evaluator.withgoogle.com/ is useful for checking the policy
@ -72,11 +78,17 @@ const buildDefaultPolicy = (reportUri, styleSrc) => {
return directives.join('; ') return directives.join('; ')
} }
const buildViewPolicy = (scriptNonce, reportPercentage, reportUri) => { const buildViewPolicy = (
scriptNonce,
reportPercentage,
reportUri,
viewDirectives
) => {
const directives = [ const directives = [
`script-src 'nonce-${scriptNonce}' 'unsafe-inline' 'strict-dynamic' https: 'report-sample'`, // only allow scripts from certain sources `script-src 'nonce-${scriptNonce}' 'unsafe-inline' 'strict-dynamic' https: 'report-sample'`, // only allow scripts from certain sources
`object-src 'none'`, // forbid loading an "object" element `object-src 'none'`, // forbid loading an "object" element
`base-uri 'none'`, // forbid setting a "base" element `base-uri 'none'`, // forbid setting a "base" element
...(viewDirectives ?? []),
] ]
if (reportUri) { if (reportUri) {

3
services/web/config/settings.defaults.js
View file

@ -977,6 +977,9 @@ module.exports = {
reportPercentage: parseFloat(process.env.CSP_REPORT_PERCENTAGE) || 0, reportPercentage: parseFloat(process.env.CSP_REPORT_PERCENTAGE) || 0,
reportUri: process.env.CSP_REPORT_URI, reportUri: process.env.CSP_REPORT_URI,
exclude: [], exclude: [],
viewDirectives: {
'app/views/project/ide-react': [`img-src 'self' data: blob:`],
},
}, },
unsupportedBrowsers: { unsupportedBrowsers: {