luxolus/open-consul
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
open-consul/ui/packages/consul-ui/server/index.js
John Cowen 62a9dffcae
ui: CSP Improvements (#9847) 
* Configure ember-auto-import so we can use a stricter CSP

* Create a fake filesystem using JSON to avoid inline scripts in index

We used to have inline scripts in index.html in order to support embers
filepath fingerprinting and our configurable rootURL.

Instead of using inline scripts we use application/json plus a JSON blob
to create a fake filesystem JSON blob/hash/map to hold all of the
rootURL'ed fingerprinted file paths which we can then retrive later in
non-inline scripts.

We move our inlined polyfills script into the init.js external script,
and we move the CodeMirror syntax highlighting configuration inline
script into the main app itself - into the already existing CodeMirror
initializer (this has been moved so we can lookup a service located
document using ember's DI container)

* Set a strict-ish CSP policy during development
2021-03-17 10:46:21 +00:00

39 lines
1.3 KiB
JavaScript
Raw Blame History

/*eslint node/no-extraneous-require: "off"*/
'use strict';
const fs = require('fs');
const promisify = require('util').promisify;
const read = promisify(fs.readFile);
const express = require('express');
module.exports = function(app, options) {
// During development the proxy server has no way of
// knowing the content/mime type of our `oidc/callback` file
// as it has no extension.
// This shims the default server to set the correct headers
// just for this file
const file = `/oidc/callback`;
const rootURL = options.rootURL;
const url = `${rootURL.substr(0, rootURL.length - 1)}${file}`;
app.use(function(req, resp, next) {
if (req.url.split('?')[0] === url) {
return read(`${process.cwd()}/public${file}`).then(function(buffer) {
resp.header('Content-Type', 'text/html');
resp.write(buffer.toString());
resp.end();
});
}
next();
});
// sets the base CSP policy for the UI
app.use(function(request, response, next) {
response.set({
'Content-Security-Policy': `default-src 'self' ws: localhost:${options.liveReloadPort} http: localhost:${options.liveReloadPort}; img-src 'self' data: ; style-src 'self' 'unsafe-inline'`,
});
next();
});
// Serve the coverage folder for easy viewing during development
app.use('/coverage', express.static('coverage'));
};
Reference in a new issue View git blame Copy permalink