mirror/Hangar
2
0
Fork 0
mirror of https://github.com/HangarMC/Hangar.git synced 2025-01-24 14:24:47 +08:00
Code Issues Packages Projects Releases Wiki Activity

set CSP to report only till we figure out wth vue-i18n is doing

Browse Source 
Signed-off-by: MiniDigger <admin@minidigger.me>
This commit is contained in:
MiniDigger 2020-12-21 14:55:18 +01:00
parent ca013ce231
commit 8bc9cc76d3
3 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/main/frontend/vue.config.js
View File

@ -40,8 +40,8 @@ module.exports = {
port: 8081,
hot: process.env.NODE_ENV === 'development',
headers: {
"Access-Control-Allow-Origin": "http://localhost:8080"
}
'Access-Control-Allow-Origin': 'http://localhost:8080',
},
},
chainWebpack: (config) => {
// clear default

2
src/main/java/io/papermc/hangar/controller/HangarController.java
View File

@ -71,7 +71,7 @@ public abstract class HangarController {
}
mav.addObject("cu", currentUser.get().orElse(null));
mav.addObject("headerData", userService.getHeaderData());
if (response.containsHeader("Content-Security-Policy")) {
if (request.getAttribute("nonce") != null) {
mav.addObject("nonce", request.getAttribute("nonce"));
} else {
mav.addObject("nonce", "missing-csp-header");

8
src/main/java/io/papermc/hangar/controller/filters/ContentSecurityPolicyFilter.java
View File

@ -17,7 +17,6 @@ import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.EnumMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Set;
import java.util.stream.Collectors;
@ -39,8 +38,9 @@ public class ContentSecurityPolicyFilter extends OncePerRequestFilter {
builder.default_src(CSP.SELF, "https://google-analytics.com", "https://fonts.gstatic.com", "https://fonts.googleapis.com")
.style_src(CSP.SELF, "https://fonts.googleapis.com", CSP.UNSAFE_INLINE)
.font_src("fonts.gstatic.com")
.script_src(CSP.SELF, "'nonce-{nonce}'")
.img_src(CSP.SELF, hangarConfig.getAuthUrl(), "https://www.google-analytics.com", "data: papermc.io paper.readthedocs.io")
.script_src(CSP.SELF, "'nonce-{nonce}'", CSP.UNSAFE_INLINE) // unsafe inline is ignored by browsers that support nonces, just added for backwards compat
// .img_src(CSP.SELF, hangarConfig.getAuthUrl(), "https://www.google-analytics.com", "https://www.gravatar.com", "data: papermc.io paper.readthedocs.io") // ppl can use images in descriptions, we would need an image proxy or smth
.img_src(CSP.SELF, "https:")
.manifest_src(CSP.SELF)
.prefetch_src(CSP.SELF, "https://fonts.googleapis.com") // isnt implemented yet -> default_src
.connect_src(CSP.SELF, "https://www.google-analytics.com", "https://stats.g.doubleclick.net")
@ -70,7 +70,7 @@ public class ContentSecurityPolicyFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(@NotNull HttpServletRequest request, @NotNull HttpServletResponse response, @NotNull FilterChain filterChain) throws ServletException, IOException {
String nonce = RandomStringUtils.randomAlphanumeric(64);
response.addHeader(CSP.Header.SECURE,cspHeader.replace("{nonce}", nonce));
response.addHeader(CSP.Header.REPORT_ONLY,cspHeader.replace("{nonce}", nonce));
request.setAttribute("nonce", nonce);
filterChain.doFilter(request, response);
}