Commit graph

8 commits

Author SHA1 Message Date
Jakob Ackermann
29aa7c622a Merge pull request #7105 from overleaf/jpa-static-no-csp
[web] remove CSP header from static assets

GitOrigin-RevId: 2f12974f490ff22796ed74c38a466fe4649877c1
2022-03-18 09:03:07 +00:00
Jakob Ackermann
224edddad4 [web] set a default, strict CSP on ALL endpoints (#6271)
* Remove use of CSP_PERCENTAGE

* Move header calculation earlier

* Set a default policy and add comments

* Apply the CSP header to all responses

* Enable CSP in dev environment

* [web] set a default, strict CSP on ALL endpoints

* [misc] enable CSP in dev-env

* Only build the default policy once

* Update docker-compose.yml

* [web] webpack: set default CSP header on webpack assets

This aligns the webpack dev-server with production in nocdn=true mode.

Co-authored-by: Alf Eaton <alf.eaton@overleaf.com>
GitOrigin-RevId: 088a6082ad21c5b3f229887ba0ab3eca8d0528cd
2022-03-18 09:03:01 +00:00
Alf Eaton
1be43911b4 Merge pull request #3942 from overleaf/prettier-trailing-comma
Set Prettier's "trailingComma" setting to "es5"

GitOrigin-RevId: 9f14150511929a855b27467ad17be6ab262fe5d5
2021-04-28 02:10:01 +00:00
Alf Eaton
2621a1d5bb Merge pull request #3933 from overleaf/ae-csp-report-percentage
Add CSP_REPORT_PERCENTAGE

GitOrigin-RevId: 4afde0da6e3660c83df8c5c9cd31a3f246e9e572
2021-04-22 02:09:40 +00:00
Alf Eaton
dcd6bd347f Use the full (relative) view path for CSP exclusion (#3916)
GitOrigin-RevId: f6828a447abcc550f0c7dfd0fc6fc72f4b5b1f7e
2021-04-17 02:09:56 +00:00
Alf Eaton
1ebc8a79cb Merge pull request #3495 from overleaf/ae-prettier-2
Upgrade Prettier to v2

GitOrigin-RevId: 85aa3fa1acb6332c4f58c46165a43d1a51471f33
2021-04-15 02:05:22 +00:00
Alasdair Smith
676b70b2be Merge pull request #3899 from overleaf/ae-csp-report-sample
Add 'report-sample' to script-src CSP directive

GitOrigin-RevId: 1a2c26339e7ef353a89fc264b0f186a1d313e1bc
2021-04-15 02:05:16 +00:00
Alf Eaton
a5637651b5 Add Content-Security-Policy header (#3783)
* Add Content-Security-Policy header
* Add nonce attribute to script tags
* Use source-map for webpack devtool
* Add ng-csp attribute when CSP is enabled
* Allow overriding CSP settings with environment variables
* Hook into render and allow routes to disable the CSP header

GitOrigin-RevId: a873736a3514198165f1b2f1e18d002b65f20d30
2021-03-26 03:04:55 +00:00