From 2b419d01ae5f7bfbcb5fa28ced1c96b3104f692e Mon Sep 17 00:00:00 2001 From: gozineb Date: Wed, 4 Oct 2023 15:17:52 +0200 Subject: [PATCH 1/3] =?UTF-8?q?=E2=9C=A8=20add=20localhost=203001?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- frontend/next.config.js | 99 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 88 insertions(+), 11 deletions(-) diff --git a/frontend/next.config.js b/frontend/next.config.js index 56c3db7bc84a..cc451724d154 100644 --- a/frontend/next.config.js +++ b/frontend/next.config.js @@ -9,20 +9,87 @@ const nextConfig = { }, // eslint-disable-next-line prefer-arrow/prefer-arrow-functions async headers() { - if (process.env.NEXT_PUBLIC_ENV === "prod") { - return [ - { - source: "/(.*)", - headers: securityHeaders, - }, - ]; - } else { - return []; - } + return [ + { + source: "/(.*)", + headers: securityHeaders, + }, + ]; }, }; -const ContentSecurityPolicy = { +const ContentSecurityPolicyLocal = { + "default-src": [ + "'self'", + "https://fonts.googleapis.com", + process.env.NEXT_PUBLIC_SUPABASE_URL, + "https://api.june.so", + ], + "connect-src": [ + "'self'", + process.env.NEXT_PUBLIC_SUPABASE_URL, + process.env.NEXT_PUBLIC_BACKEND_URL, + "https://api.june.so", + "https://api.openai.com", + "https://cdn.growthbook.io", + "https://vitals.vercel-insights.com/v1/vitals", + ], + "img-src": ["'self'", "https://www.gravatar.com", "data:"], + "media-src": [ + "'self'", + "https://user-images.githubusercontent.com", + "http://localhost:3001", + "http://localhost:3001", + "https://quivr-cms.s3.eu-west-3.amazonaws.com", + ], + "script-src": [ + "'unsafe-inline'", + "'unsafe-eval'", + "https://va.vercel-scripts.com/", + "http://localhost:3001", + "http://localhost:3001", + "https://www.google-analytics.com/", + ], + "frame-ancestors": ["'none'"], + "style-src": ["'unsafe-inline'", "http://localhost:3001"], +}; + +const ContentSecurityPolicyPreview = { + "default-src": [ + "'self'", + "https://fonts.googleapis.com", + process.env.NEXT_PUBLIC_SUPABASE_URL, + "https://api.june.so", + "https://www.quivr.app/", + ], + "connect-src": [ + "'self'", + process.env.NEXT_PUBLIC_SUPABASE_URL, + process.env.NEXT_PUBLIC_BACKEND_URL, + "https://api.june.so", + "https://api.openai.com", + "https://cdn.growthbook.io", + "https://vitals.vercel-insights.com/v1/vitals", + ], + "img-src": ["'self'", "https://www.gravatar.com", "data:"], + "media-src": [ + "'self'", + "https://user-images.githubusercontent.com", + "https://www.quivr.app/", + "https://quivr-cms.s3.eu-west-3.amazonaws.com", + ], + "script-src": [ + "'unsafe-inline'", + "'unsafe-eval'", + "https://va.vercel-scripts.com/", + "https://www.quivr.app/", + "https://www.google-analytics.com/", + ], + "frame-ancestors": ["'none'"], + "style-src": ["'unsafe-inline'", "https://www.quivr.app/"], +}; + +const ContentSecurityPolicyProd = { "default-src": [ "'self'", "https://fonts.googleapis.com", @@ -57,6 +124,16 @@ const ContentSecurityPolicy = { "style-src": ["'unsafe-inline'", "https://www.quivr.app/"], }; +const EnvToCSP = { + local: ContentSecurityPolicyLocal, + preview: ContentSecurityPolicyPreview, + prod: ContentSecurityPolicyProd, +}; + +const ContentSecurityPolicy = process.env.NEXT_PUBLIC_ENV + ? EnvToCSP[process.env.NEXT_PUBLIC_ENV] + : {}; + const cspString = Object.entries(ContentSecurityPolicy) .map(([key, values]) => `${key} ${values.join(" ")};`) .join(" "); From 4c30d610c736eb44e299cee49c9f2d0af3cdb5d5 Mon Sep 17 00:00:00 2001 From: Matthieu Jacq <67386567+matthieujacq@users.noreply.github.com> Date: Thu, 5 Oct 2023 13:39:00 +0200 Subject: [PATCH 2/3] Update CSP for local and preview environments --- frontend/next.config.js | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/frontend/next.config.js b/frontend/next.config.js index cc451724d154..a9e017bf6eb1 100644 --- a/frontend/next.config.js +++ b/frontend/next.config.js @@ -38,7 +38,7 @@ const ContentSecurityPolicyLocal = { "media-src": [ "'self'", "https://user-images.githubusercontent.com", - "http://localhost:3001", + "http://localhost:3000", "http://localhost:3001", "https://quivr-cms.s3.eu-west-3.amazonaws.com", ], @@ -46,12 +46,16 @@ const ContentSecurityPolicyLocal = { "'unsafe-inline'", "'unsafe-eval'", "https://va.vercel-scripts.com/", - "http://localhost:3001", + "http://localhost:3000", "http://localhost:3001", "https://www.google-analytics.com/", ], "frame-ancestors": ["'none'"], - "style-src": ["'unsafe-inline'", "http://localhost:3001"], + "style-src": [ + "'unsafe-inline'", + "http://localhost:3000", + "http://localhost:3001", + ], }; const ContentSecurityPolicyPreview = { @@ -60,7 +64,7 @@ const ContentSecurityPolicyPreview = { "https://fonts.googleapis.com", process.env.NEXT_PUBLIC_SUPABASE_URL, "https://api.june.so", - "https://www.quivr.app/", + "https://preview.quivr.app/", ], "connect-src": [ "'self'", @@ -75,18 +79,18 @@ const ContentSecurityPolicyPreview = { "media-src": [ "'self'", "https://user-images.githubusercontent.com", - "https://www.quivr.app/", + "https://preview.quivr.app/", "https://quivr-cms.s3.eu-west-3.amazonaws.com", ], "script-src": [ "'unsafe-inline'", "'unsafe-eval'", "https://va.vercel-scripts.com/", - "https://www.quivr.app/", + "https://preview.quivr.app/", "https://www.google-analytics.com/", ], "frame-ancestors": ["'none'"], - "style-src": ["'unsafe-inline'", "https://www.quivr.app/"], + "style-src": ["'unsafe-inline'", "https://preview.quivr.app/"], }; const ContentSecurityPolicyProd = { From 95db8ad6961e96a6138c4566927ac6999c509539 Mon Sep 17 00:00:00 2001 From: Matthieu Jacq <67386567+matthieujacq@users.noreply.github.com> Date: Thu, 5 Oct 2023 14:16:19 +0200 Subject: [PATCH 3/3] =?UTF-8?q?=F0=9F=8E=A8=20Avoid=20duplicate=20lines=20?= =?UTF-8?q?when=20defining=20CSP=20for=20multiple=20environements?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- frontend/next.config.js | 116 +++++++++++----------------------------- 1 file changed, 30 insertions(+), 86 deletions(-) diff --git a/frontend/next.config.js b/frontend/next.config.js index a9e017bf6eb1..b266558c3eb0 100644 --- a/frontend/next.config.js +++ b/frontend/next.config.js @@ -18,12 +18,17 @@ const nextConfig = { }, }; -const ContentSecurityPolicyLocal = { +const ContentSecurityPolicy = { "default-src": [ "'self'", "https://fonts.googleapis.com", process.env.NEXT_PUBLIC_SUPABASE_URL, "https://api.june.so", + { + prod: "https://www.quivr.app/", + preview: "https://preview.quivr.app/", + local: ["http://localhost:3000", "http://localhost:3001"], + }, ], "connect-src": [ "'self'", @@ -38,106 +43,45 @@ const ContentSecurityPolicyLocal = { "media-src": [ "'self'", "https://user-images.githubusercontent.com", - "http://localhost:3000", - "http://localhost:3001", + "https://www.quivr.app/", "https://quivr-cms.s3.eu-west-3.amazonaws.com", ], "script-src": [ "'unsafe-inline'", "'unsafe-eval'", "https://va.vercel-scripts.com/", - "http://localhost:3000", - "http://localhost:3001", + { + prod: "https://www.quivr.app/", + preview: "https://preview.quivr.app/", + local: ["http://localhost:3000", "http://localhost:3001"], + }, "https://www.google-analytics.com/", ], "frame-ancestors": ["'none'"], "style-src": [ "'unsafe-inline'", - "http://localhost:3000", - "http://localhost:3001", - ], -}; - -const ContentSecurityPolicyPreview = { - "default-src": [ - "'self'", - "https://fonts.googleapis.com", - process.env.NEXT_PUBLIC_SUPABASE_URL, - "https://api.june.so", - "https://preview.quivr.app/", - ], - "connect-src": [ - "'self'", - process.env.NEXT_PUBLIC_SUPABASE_URL, - process.env.NEXT_PUBLIC_BACKEND_URL, - "https://api.june.so", - "https://api.openai.com", - "https://cdn.growthbook.io", - "https://vitals.vercel-insights.com/v1/vitals", - ], - "img-src": ["'self'", "https://www.gravatar.com", "data:"], - "media-src": [ - "'self'", - "https://user-images.githubusercontent.com", - "https://preview.quivr.app/", - "https://quivr-cms.s3.eu-west-3.amazonaws.com", - ], - "script-src": [ - "'unsafe-inline'", - "'unsafe-eval'", - "https://va.vercel-scripts.com/", - "https://preview.quivr.app/", - "https://www.google-analytics.com/", - ], - "frame-ancestors": ["'none'"], - "style-src": ["'unsafe-inline'", "https://preview.quivr.app/"], -}; - -const ContentSecurityPolicyProd = { - "default-src": [ - "'self'", - "https://fonts.googleapis.com", - process.env.NEXT_PUBLIC_SUPABASE_URL, - "https://api.june.so", - "https://www.quivr.app/", - ], - "connect-src": [ - "'self'", - process.env.NEXT_PUBLIC_SUPABASE_URL, - process.env.NEXT_PUBLIC_BACKEND_URL, - "https://api.june.so", - "https://api.openai.com", - "https://cdn.growthbook.io", - "https://vitals.vercel-insights.com/v1/vitals", - ], - "img-src": ["'self'", "https://www.gravatar.com", "data:"], - "media-src": [ - "'self'", - "https://user-images.githubusercontent.com", - "https://www.quivr.app/", - "https://quivr-cms.s3.eu-west-3.amazonaws.com", - ], - "script-src": [ - "'unsafe-inline'", - "'unsafe-eval'", - "https://va.vercel-scripts.com/", - "https://www.quivr.app/", - "https://www.google-analytics.com/", + { + prod: "https://www.quivr.app/", + preview: "https://preview.quivr.app/", + local: ["http://localhost:3000", "http://localhost:3001"], + }, ], - "frame-ancestors": ["'none'"], - "style-src": ["'unsafe-inline'", "https://www.quivr.app/"], }; -const EnvToCSP = { - local: ContentSecurityPolicyLocal, - preview: ContentSecurityPolicyPreview, - prod: ContentSecurityPolicyProd, -}; - -const ContentSecurityPolicy = process.env.NEXT_PUBLIC_ENV - ? EnvToCSP[process.env.NEXT_PUBLIC_ENV] - : {}; +// Resolve environment-specific CSP values +for (const directive of Object.values(ContentSecurityPolicy)) { + for (const [index, resource] of directive.entries()) { + if (typeof resource === "string") { + continue; + } + directive[index] = resource[process.env.NEXT_PUBLIC_ENV]; + if (Array.isArray(directive[index])) { + directive[index] = directive[index].join(" "); + } + } +} +// Build CSP string const cspString = Object.entries(ContentSecurityPolicy) .map(([key, values]) => `${key} ${values.join(" ")};`) .join(" ");