From fa5ee58d41180ae81e09a1d3a8191269de8b974b Mon Sep 17 00:00:00 2001 From: David Nuescheler Date: Thu, 15 Jun 2023 15:56:12 -0700 Subject: [PATCH 1/3] feat: meta based csp --- scripts/csp.json | 13 +++++++++++++ scripts/scripts.js | 17 +++++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 scripts/csp.json diff --git a/scripts/csp.json b/scripts/csp.json new file mode 100644 index 000000000..1c203c79b --- /dev/null +++ b/scripts/csp.json @@ -0,0 +1,13 @@ +{ + "default-src": [ + "'self'" + ], + "script-src": [ + "'self'", + "https://rum.hlx.page/" + ], + "connect-src": [ + "'self'", + "https://rum.hlx.page/" + ] +} \ No newline at end of file diff --git a/scripts/scripts.js b/scripts/scripts.js index 7609d1412..5be42a7af 100644 --- a/scripts/scripts.js +++ b/scripts/scripts.js @@ -72,11 +72,28 @@ async function loadEager(doc) { } } +/** + * sets the Content-Security-Policy meta tag to the document based on JSON file + */ + +async function setCSP() { + const resp = await fetch(`${window.hlx.codeBasePath}/scripts/csp.json`); + const json = await resp.json(); + const directives = Object.keys(json); + const policy = directives.map((directive) => `${directive} ${json[directive].join(' ')}`).join('; '); + const meta = document.createElement('meta'); + meta.setAttribute('http-equiv', 'Content-Security-Policy'); + meta.setAttribute('content', policy); + document.head.appendChild(meta); +} + /** * Loads everything that doesn't need to be delayed. * @param {Element} doc The container element */ async function loadLazy(doc) { + await setCSP(); + const main = doc.querySelector('main'); await loadBlocks(main); From 775050318089f527a09a0cabdd7fc8e0c61736c7 Mon Sep 17 00:00:00 2001 From: David Nuescheler Date: Mon, 19 Jun 2023 10:37:55 -0700 Subject: [PATCH 2/3] Update scripts/scripts.js Co-authored-by: Lars Trieloff --- scripts/scripts.js | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/scripts.js b/scripts/scripts.js index 5be42a7af..69b82bec6 100644 --- a/scripts/scripts.js +++ b/scripts/scripts.js @@ -84,6 +84,7 @@ async function setCSP() { const meta = document.createElement('meta'); meta.setAttribute('http-equiv', 'Content-Security-Policy'); meta.setAttribute('content', policy); + document.addEventListener("securitypolicyviolation", (e) => sampleRUM("csperror", {source: `${e.documentURI}:${e.lineNumber}:${e.columnNumber}`, target: e.blockedURI })); document.head.appendChild(meta); } From 7d428dd9bbc688f5c6a351dba8bae63c6b2f2eb9 Mon Sep 17 00:00:00 2001 From: David Nuescheler Date: Mon, 19 Jun 2023 10:42:51 -0700 Subject: [PATCH 3/3] chore: linting --- scripts/scripts.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/scripts.js b/scripts/scripts.js index 69b82bec6..1f42805bd 100644 --- a/scripts/scripts.js +++ b/scripts/scripts.js @@ -84,7 +84,7 @@ async function setCSP() { const meta = document.createElement('meta'); meta.setAttribute('http-equiv', 'Content-Security-Policy'); meta.setAttribute('content', policy); - document.addEventListener("securitypolicyviolation", (e) => sampleRUM("csperror", {source: `${e.documentURI}:${e.lineNumber}:${e.columnNumber}`, target: e.blockedURI })); + document.addEventListener('securitypolicyviolation', (e) => sampleRUM('csperror', { source: `${e.documentURI}:${e.lineNumber}:${e.columnNumber}`, target: e.blockedURI })); document.head.appendChild(meta); }