Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: strengthen csp rules (#2733) #3990

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

feat: strengthen csp rules (#2733) #3990

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3e83f2f
feat: strengthen csp rules (#2733)
steffstefferson Nov 13, 2024
71fec40
Merge branch 'main' into feature/2733-content-security-policies
steffstefferson Nov 14, 2024
f3188cd
chore: disable csp for cypress
steffstefferson Nov 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions packages/components/cypress/support/e2e.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,17 @@ Cypress.on('uncaught:exception', err => {
return false;
}
});

// cypress is inserting scripts into the html file to execute its tests, but the script is blocked by the csp, so we remove the csp for the tests.
beforeEach(() => {
cy.intercept('/*', (req) => {
req.continue((res) => {
if (res.headers['content-type'] && res.headers['content-type'].includes('text/html')) {
res.body = res.body.replace(
/<meta http-equiv="Content-Security-Policy" content="[^"]*">/g,
'<meta http-equiv="Content-Security-Policy" content="*">'
);
}
})
})
})
22 changes: 18 additions & 4 deletions packages/documentation/.storybook/preview-head.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,24 @@
<link rel="stylesheet" href="/styles/post-external.css" />

<meta name="design-system-settings" data-post-icon-base="/post-icons" />
<meta
http-equiv="Content-Security-Policy"
content="connect-src 'self' *.coveo.com *.post.ch *.gravatar.com *.app.github.dev"
/>

<meta http-equiv="Content-Security-Policy" content="
connect-src 'self' *.coveo.com *.post.ch *.gravatar.com *.google.com *.app.github.dev;
default-src 'self';
script-src 'self' *.coveo.com *.post.ch *.gravatar.com *.googletagmanager.com;
style-src 'self' *.coveo.com *.post.ch *.gravatar.com;
img-src 'self' data: *.unpkg.com *.githubusercontent.com;
font-src 'self' *.coveo.com *.post.ch *.gravatar.com;
frame-src 'none';
object-src 'none';
base-uri 'self';
form-action 'self';
media-src 'self';
manifest-src 'self';
worker-src 'self';
upgrade-insecure-requests;
block-all-mixed-content;
">

<script>
window.global = window;
Expand Down
14 changes: 14 additions & 0 deletions packages/documentation/cypress/support/e2e.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,17 @@ Cypress.on('uncaught:exception', err => {
return false;
}
});

// cypress is inserting scripts into the html file to execute its tests, but the script is blocked by the csp, so we remove the csp for the tests.
beforeEach(() => {
cy.intercept('/*', (req) => {
req.continue((res) => {
if (res.headers['content-type'] && res.headers['content-type'].includes('text/html')) {
res.body = res.body.replace(
/<meta http-equiv="Content-Security-Policy" content="[^"]*">/g,
'<meta http-equiv="Content-Security-Policy" content="*">'
);
}
})
})
})
5 changes: 3 additions & 2 deletions packages/documentation/public/_headers
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# Adds custom headers for specific resources
# This file is used by Netlify to handle headers

/assets/versions.json
Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: *.post.ch
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options = nosniff