Merge pull request #236 from bcgov/bugfix/apicsp

Add CSP rules to support redocs rendering
bcgov · Dec 20, 2023 · ace4c12 · ace4c12
2 parents 3e47e16 + f5aabdb
commit ace4c12
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 71 deletions.
diff --git a/app/app.js b/app/app.js
@@ -34,18 +34,7 @@ const app = express();
 app.use(compression());
 app.use(cors(DEFAULTCORS));
 app.use(express.urlencoded({ extended: true }));
-app.use(
-  helmet({
-    contentSecurityPolicy: {
-      directives: {
-        'default-src': [
-          "'self'", // eslint-disable-line
-          new URL(config.get('keycloak.serverUrl')).origin
-        ]
-      }
-    }
-  })
-);
+app.use(helmet());
 
 // Skip if running tests
 if (process.env.NODE_ENV !== 'test') {

diff --git a/app/package-lock.json b/app/package-lock.json
diff --git a/app/src/docs/docs.js b/app/src/docs/docs.js
@@ -15,7 +15,7 @@ const docs = {
     </head>
     <body>
       <redoc spec-url='/api/${version}/docs/api-spec.yaml' />
-      <script src="https://cdn.jsdelivr.net/npm/redoc@next/bundles/redoc.standalone.js"></script>
+      <script src="https://cdn.redoc.ly/redoc/latest/bundles/redoc.standalone.js"></script>
     </body>
   </html>`
 };

diff --git a/app/src/routes/v1/docs.js b/app/src/routes/v1/docs.js
@@ -1,6 +1,7 @@
 const config = require('config');
 const router = require('express').Router();
 const { readFileSync } = require('fs');
+const helmet = require('helmet');
 const yaml = require('js-yaml');
 const { join } = require('path');
 
@@ -16,6 +17,17 @@ function getSpec() {
   return spec;
 }
 
+router.use(
+  helmet({
+    contentSecurityPolicy: {
+      directives: {
+        'img-src': ['data:', 'https://cdn.redoc.ly'],
+        'script-src': ['blob:', 'https://cdn.redoc.ly']
+      }
+    }
+  })
+);
+
 /** OpenAPI Docs */
 router.get('/', (_req, res) => {
   const docs = require('../../docs/docs');