Added conditional content-security-policy header

If any of the URLs start with https then we add the Content-Security-Policy : upgrade-insecure-requests header to DICOMwebClient requests. Addresses #159
ImagingDataCommons · Jul 20, 2023 · d8b6452 · d8b6452
1 parent 54b4fb4
commit d8b6452
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 18 deletions.
diff --git a/src/DicomWebManager.ts b/src/DicomWebManager.ts
@@ -20,7 +20,7 @@ export default class DicomWebManager implements dwc.api.DICOMwebClient {
 
   private readonly handleError: DicomWebManagerErrorHandler
 
-  constructor ({ baseUri, settings, onError }: {
+  constructor({ baseUri, settings, onError }: {
     baseUri: string
     settings: ServerSettings[]
     onError?: DicomWebManagerErrorHandler
@@ -58,18 +58,36 @@ export default class DicomWebManager implements dwc.api.DICOMwebClient {
           )
         )
       }
+      // Addresses #159
+      let upgradeInsecure = false
       const clientSettings: dwc.api.DICOMwebClientOptions = {
         url: serviceUrl
       }
+      if (serviceUrl?.startsWith('https') ?? false) {
+        upgradeInsecure = true
+      }
       if (serverSettings.qidoPathPrefix !== undefined) {
         clientSettings.qidoURLPrefix = serverSettings.qidoPathPrefix
+        if (serverSettings.qidoPathPrefix.startsWith('https')) {
+          upgradeInsecure = true
+        }
       }
       if (serverSettings.wadoPathPrefix !== undefined) {
         clientSettings.wadoURLPrefix = serverSettings.wadoPathPrefix
+        if (serverSettings.wadoPathPrefix.startsWith('https')) {
+          upgradeInsecure = true
+        }
       }
       if (serverSettings.stowPathPrefix !== undefined) {
         clientSettings.stowURLPrefix = serverSettings.stowPathPrefix
+        if (serverSettings.stowPathPrefix.startsWith('https')) {
+          upgradeInsecure = true
+        }
+      }
+      if (upgradeInsecure) {
+        clientSettings.headers = { 'Content-Security-Policy': 'upgrade-insecure-requests' }
       }
+
       if (serverSettings.retry !== undefined) {
         clientSettings.requestHooks = [getXHRRetryHook(serverSettings.retry)]
       }
@@ -97,7 +115,7 @@ export default class DicomWebManager implements dwc.api.DICOMwebClient {
     }
   }
 
-  get baseURL (): string {
+  get baseURL(): string {
     return this.stores[0].client.baseURL
   }
 
@@ -107,7 +125,7 @@ export default class DicomWebManager implements dwc.api.DICOMwebClient {
     }
   }
 
-  get headers (): { [name: string]: string } {
+  get headers(): { [name: string]: string } {
     return this.stores[0].client.headers
   }
 

diff --git a/types/dicomweb-client/index.d.ts b/types/dicomweb-client/index.d.ts
@@ -10,12 +10,13 @@ declare module 'dicomweb-client' {
     export type DICOMwebClientRequestHook = (request: XMLHttpRequest, metadata: DICOMwebClientRequestHookMetadata) => XMLHttpRequest
 
     export interface DICOMwebClientOptions {
-      url: string|undefined
+      url: string | undefined
       qidoURLPrefix?: string
       wadoURLPrefix?: string
       stowURLPrefix?: string
       headers?: {
         Authorization?: string
+        'Content-Security-Policy'?: string
       }
       requestHooks?: DICOMwebClientRequestHook[]
       errorInterceptor?: (request: DICOMwebClientError) => void
@@ -133,49 +134,49 @@ declare module 'dicomweb-client' {
     export type Dataset = ArrayBuffer
 
     export interface DICOMwebClient {
-      headers: {[key: string]: string}
+      headers: { [key: string]: string }
       baseURL: string
       // STOW-RS
-      storeInstances (options: StoreInstancesOptions): Promise<void>
+      storeInstances(options: StoreInstancesOptions): Promise<void>
       // QIDO-RS
-      searchForStudies (
+      searchForStudies(
         options: SearchForStudiesOptions
       ): Promise<Study[]>
-      searchForSeries (
+      searchForSeries(
         options: SearchForSeriesOptions
       ): Promise<Series[]>
-      searchForInstances (
+      searchForInstances(
         options: SearchForInstancesOptions
       ): Promise<Instance[]>
       // WADO-RS
-      retrieveStudyMetadata (
+      retrieveStudyMetadata(
         options: RetrieveStudyMetadataOptions
       ): Promise<Metadata[]>
-      retrieveSeriesMetadata (
+      retrieveSeriesMetadata(
         options: RetrieveSeriesMetadataOptions
       ): Promise<Metadata[]>
-      retrieveInstanceMetadata (
+      retrieveInstanceMetadata(
         options: RetrieveInstanceMetadataOptions
       ): Promise<Metadata[]>
-      retrieveInstance (
+      retrieveInstance(
         options: RetrieveInstanceOptions
       ): Promise<Dataset>
-      retrieveInstanceFrames (
+      retrieveInstanceFrames(
         options: RetrieveInstanceFramesOptions
       ): Promise<Pixeldata[]>
-      retrieveInstanceRendered (
+      retrieveInstanceRendered(
         options: RetrieveInstanceRenderedOptions
       ): Promise<Pixeldata>
-      retrieveInstanceFramesRendered (
+      retrieveInstanceFramesRendered(
         options: RetrieveInstanceFramesRenderedOptions
       ): Promise<Pixeldata>
-      retrieveBulkData (
+      retrieveBulkData(
         options: RetrieveBulkDataOptions
       ): Promise<Bulkdata[]>
     }
 
     export class DICOMwebClient implements DICOMwebClient {
-      constructor (options: DICOMwebClientOptions)
+      constructor(options: DICOMwebClientOptions)
     }
 
     export interface MetadataElement {