feat: configure CSP for self-hosting and multiple ports in dev mode (#1364)

Closes #1358 
Closes #1359

⚠️ Need to update the preview and prod environment with a
"NEXT_PUBLIC_FRONTEND_URL" variable before merging.
This commit is contained in:
Matthieu Jacq 2023-10-09 17:02:15 +02:00 committed by GitHub
parent 77e135fb5b
commit 2c7d48cf4e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 33 deletions

View File

@ -1,5 +1,6 @@
NEXT_PUBLIC_ENV=local
NEXT_PUBLIC_BACKEND_URL=http://localhost:5050
NEXT_PUBLIC_FRONTEND_URL=http://localhost:*
NEXT_PUBLIC_SUPABASE_URL=<change-me>
NEXT_PUBLIC_SUPABASE_ANON_KEY=<change-me>
@ -12,4 +13,3 @@ NEXT_PUBLIC_GA_ID=<ignore-me-or-change-me>
NEXT_PUBLIC_E2E_URL=http://localhost:3003
NEXT_PUBLIC_E2E_EMAIL=<ignore-me-or-change-me>
NEXT_PUBLIC_E2E_PASSWORD=<ignore-me-or-change-me>

View File

@ -24,11 +24,7 @@ const ContentSecurityPolicy = {
"https://fonts.googleapis.com",
process.env.NEXT_PUBLIC_SUPABASE_URL,
"https://api.june.so",
{
prod: "https://www.quivr.app/",
preview: "https://preview.quivr.app/",
local: ["http://localhost:3000", "http://localhost:3001"],
},
process.env.NEXT_PUBLIC_FRONTEND_URL,
],
"connect-src": [
"'self'",
@ -43,44 +39,20 @@ const ContentSecurityPolicy = {
"media-src": [
"'self'",
"https://user-images.githubusercontent.com",
"https://www.quivr.app/",
process.env.NEXT_PUBLIC_FRONTEND_URL,
"https://quivr-cms.s3.eu-west-3.amazonaws.com",
],
"script-src": [
"'unsafe-inline'",
"'unsafe-eval'",
"https://va.vercel-scripts.com/",
{
prod: "https://www.quivr.app/",
preview: "https://preview.quivr.app/",
local: ["http://localhost:3000", "http://localhost:3001"],
},
process.env.NEXT_PUBLIC_FRONTEND_URL,
"https://www.google-analytics.com/",
],
"frame-ancestors": ["'none'"],
"style-src": [
"'unsafe-inline'",
{
prod: "https://www.quivr.app/",
preview: "https://preview.quivr.app/",
local: ["http://localhost:3000", "http://localhost:3001"],
},
],
"style-src": ["'unsafe-inline'", process.env.NEXT_PUBLIC_FRONTEND_URL],
};
// Resolve environment-specific CSP values
for (const directive of Object.values(ContentSecurityPolicy)) {
for (const [index, resource] of directive.entries()) {
if (typeof resource === "string") {
continue;
}
directive[index] = resource[process.env.NEXT_PUBLIC_ENV];
if (Array.isArray(directive[index])) {
directive[index] = directive[index].join(" ");
}
}
}
// Build CSP string
const cspString = Object.entries(ContentSecurityPolicy)
.map(([key, values]) => `${key} ${values.join(" ")};`)