pkg: fix CSP with correct values

kyokan · Jan 30, 2023 · 90acfef · 90acfef
1 parent f3de98b
commit 90acfef
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 26 deletions.
diff --git a/app/app.html b/app/app.html
@@ -1,16 +1,22 @@
 <!DOCTYPE html>
 <html>
 <head>
-  <meta http-equiv="Content-Security-Policy" content="{{cspValue}}">
+  <meta http-equiv="Content-Security-Policy" content="
+  default-src 'self' 'sha256-ifNoD1V8CYOGqCEhgv6hm3CwX8yYueHGf454+Xv7rrI=' http://localhost:1212;
+  style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
+  font-src https://fonts.gstatic.com;
+  img-src * data:;
+  connect-src ws://0.0.0.0:1212 http://localhost:1212 *.sentry.io *.mixpanel.com;
+  ">
   <meta charset="utf-8" />
   <title>Bob</title>
   <!-- Preloading Styles for Splash Screen -->
-  <!-- leave as-is otherwise hash for CSP will need to be regenerated -->
   <style>html, body { margin: 0; padding: 0; font-family: system-ui, 'Roboto', sans-serif; font-size: 16px; -webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; overflow-x: hidden; }</style>
 </head>
 <body>
 <div id="root"></div>
 <div id="modal-root"></div>
+<!-- CSP script hash: sha256-ifNoD1V8CYOGqCEhgv6hm3CwX8yYueHGf454+Xv7rrI= -->
 <script>
   // https://github.com/tc39/proposal-global
   global = globalThis;

diff --git a/scripts/package.js b/scripts/package.js
@@ -2,7 +2,6 @@ const path = require('path');
 const fs = require('fs');
 const exec = require('child_process').exec;
 const rootDir = path.resolve(path.join(__dirname, '..'));
-const cspPolicy = `default-src 'self'; style-src 'self' 'sha256-GhG3bE0iJoXJDtzwjDYe4ewzpUCrcbsJVwiqGhTOAVg=' https://fonts.googleapis.com; font-src https://fonts.gstatic.com; img-src * data:; connect-src http://localhost:13037 http://localhost:13039 http://localhost:14037 http://localhost:14039 http://localhost:15037 http://localhost:15039 http://localhost:12037 http://localhost:12039 https://*.sentry.io https://*.mixpanel.com;`;
 const binDir = path.join(rootDir, 'node_modules', '.bin');
 const webpackBin = path.join(binDir, 'webpack.cmd');
 const babelBin = path.join(binDir, 'babel.cmd');
@@ -60,24 +59,6 @@ function babelizeFromRoot(source, dest, isDir, cb) {
   });
 }
 
-function replaceCSP(input, cb) {
-  fs.readFile(input, 'utf8', (err, data) => {
-    if (err) {
-      throw err;
-    }
-
-    const replaced = data.replace('{{cspValue}}', cspPolicy);
-    fs.writeFile(input, replaced, 'utf8', (err) => {
-      if (err) {
-        throw err;
-      }
-
-      console.log('Replaced CSP.');
-      cb();
-    });
-  });
-}
-
 function main() {
   const babelDirectories = [
     'background',
@@ -118,8 +99,7 @@ function main() {
     });
   };
   const pack = () => webpack(babelizeFiles);
-  const csp = () => replaceCSP(path.join('dist', 'app.html'), pack);
-  const cpApp = () => copyFileFromRoot(path.join('app', 'app.html'), 'dist', csp);
+  const cpApp = () => copyFileFromRoot(path.join('app', 'app.html'), 'dist', pack);
   const mkDist = () => mkdirPFromRoot('dist', cpApp);
   mkDist();
 }

diff --git a/scripts/package.sh b/scripts/package.sh
@@ -1,9 +1,6 @@
 #!/usr/bin/env bash
 mkdir -p ./dist
 cp app/app.html dist
-CSP_POLICY="default-src 'self'; style-src 'self' 'sha256-GhG3bE0iJoXJDtzwjDYe4ewzpUCrcbsJVwiqGhTOAVg=' https:\/\/fonts.googleapis.com; font-src https:\/\/fonts.gstatic.com; img-src * data:; connect-src http:\/\/localhost:13037 http:\/\/localhost:13039 http:\/\/localhost:14037 http:\/\/localhost:14039 http:\/\/localhost:15037 http:\/\/localhost:15039 http:\/\/localhost:12037 http:\/\/localhost:12039 https:\/\/*.sentry.io https:\/\/*.mixpanel.com;"
-sed -i.tmp "s/{{cspValue}}/${CSP_POLICY}/g" dist/app.html
-rm dist/app.html.tmp
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )/../"
 NODE_ENV=production $DIR/node_modules/.bin/webpack --config ./configs/webpack.config.renderer.prod.babel.js
 $DIR/node_modules/.bin/babel $DIR/app/main.js -o ./dist/main.js