CSP header support #271
Open
CSP header support #271
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HJSielcken
reviewed
Nov 25, 2024
HJSielcken
left a comment
HJSielcken
left a comment
There was a problem hiding this comment.
Let's talk tomorrow about this stuff
| } | ||
|
|
||
|
|
||
| async function sendHtml(req, res, template, location, { status, headers, data }) { |
There was a problem hiding this comment.
This does not have to be async right?
| app.use(helmet(Object.assign( | ||
| { | ||
| hsts: false, // hsts-headers are sent by our loadbalancer | ||
| contentSecurityPolicy: false, |
There was a problem hiding this comment.
It feels a bit strange that we have
const { contentSecurityPolicy, ...helmetOptionsToUse } = helmetOptions || {}
and
Object.assign( {
hsts: false, // hsts-headers are sent by our loadbalancer
contentSecurityPolicy: false,
referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
},helmetOptionsToUse)
Does that mean that the resulting object has always contentSecurityPolicy: false?
| } | ||
|
|
||
| function addCspHeaders(req, res) { | ||
| return new Promise((resolve, reject) => { |
There was a problem hiding this comment.
What is the reason we need to wrap this in a Promise? And make 'sendHtmlWithCspHeaders' async?
For me it seems that the template rendering is just a bit more involved (namely collecting the extra script SHA's), but no extra async work?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request adds Content Security Policy header support.
Blocking
unsafe-inlineis one of the most important directives to avoid. But this will make all inline script tags unusable. Two approaches to solve 'trusted' inline scripts:nonce, a value that is unique for each request and is both present in the header and in the script tagOption 2. is the easiest to implement. The problem with this approach is that each request will get a unique header, making caching layers outside of the application unusable.
So we are stuck with option 1. For script tags created with this library a hash could be determined without using code. In real applications we however also use the script tags to provide information the
dataLayer. While not the only use case, it's one of the more well known ones.What we do in this pull request:
<script>tags to our<SafeScript>tagSafeScripttag renders, it creates a hash of the content and adds it to the collectionNote: the code should still be tested in a real environment