зеркало из https://github.com/github/docs.git
82 строки
2.5 KiB
JavaScript
82 строки
2.5 KiB
JavaScript
import helmet from 'helmet'
|
|
import isArchivedVersion from '../lib/is-archived-version.js'
|
|
import versionSatisfiesRange from '../lib/version-satisfies-range.js'
|
|
// This module defines a Content Security Policy (CSP) to disallow
|
|
// inline scripts and content from untrusted sources.
|
|
|
|
const { contentSecurityPolicy } = helmet
|
|
|
|
const AZURE_STORAGE_URL = 'githubdocs.azureedge.net'
|
|
|
|
const isDev = process.env.NODE_ENV === 'development'
|
|
|
|
export default function csp(req, res, next) {
|
|
const csp = {
|
|
directives: {
|
|
defaultSrc: ["'none'"],
|
|
prefetchSrc: ["'self'"],
|
|
|
|
connectSrc: [
|
|
"'self'",
|
|
// When doing local dev, especially in Safari, you need to add `ws:`
|
|
// which NextJS uses for the hot module reloading.
|
|
isDev && 'ws:',
|
|
].filter(Boolean),
|
|
fontSrc: ["'self'", 'data:', AZURE_STORAGE_URL],
|
|
imgSrc: [
|
|
"'self'",
|
|
'data:',
|
|
'github.githubassets.com',
|
|
AZURE_STORAGE_URL,
|
|
'placehold.it',
|
|
'*.githubusercontent.com',
|
|
'github.com',
|
|
],
|
|
objectSrc: ["'self'"],
|
|
scriptSrc: [
|
|
"'self'",
|
|
// For use during development only! This allows us to use a performant webpack devtool setting (eval)
|
|
// https://webpack.js.org/configuration/devtool/#devtool
|
|
isDev && "'unsafe-eval'",
|
|
].filter(Boolean),
|
|
frameSrc: [
|
|
// exceptions for GraphQL Explorer
|
|
'https://graphql.github.com/',
|
|
isDev && 'http://localhost:3000', // development env
|
|
'https://www.youtube-nocookie.com',
|
|
].filter(Boolean),
|
|
styleSrc: ["'self'", "'unsafe-inline'"],
|
|
childSrc: [
|
|
"'self'", // exception for search in deprecated GHE versions
|
|
],
|
|
},
|
|
}
|
|
|
|
const { requestedVersion } = isArchivedVersion(req)
|
|
|
|
// Exception for deprecated Enterprise docs (Node.js era)
|
|
if (
|
|
versionSatisfiesRange(requestedVersion, '<=2.19') &&
|
|
versionSatisfiesRange(requestedVersion, '>2.12')
|
|
) {
|
|
csp.directives.scriptSrc.push(
|
|
"'unsafe-eval'",
|
|
"'unsafe-inline'",
|
|
'http://www.google-analytics.com',
|
|
'https://ssl.google-analytics.com'
|
|
)
|
|
csp.directives.connectSrc.push('https://www.google-analytics.com')
|
|
csp.directives.imgSrc.push(
|
|
'http://www.google-analytics.com',
|
|
'https://ssl.google-analytics.com'
|
|
)
|
|
}
|
|
|
|
// Exception for search in deprecated Enterprise docs <=2.12 (static site era)
|
|
if (versionSatisfiesRange(requestedVersion, '<=2.12')) {
|
|
csp.directives.scriptSrc.push("'unsafe-inline'")
|
|
}
|
|
|
|
return contentSecurityPolicy(csp)(req, res, next)
|
|
}
|