fix(csp): add documentation, mitigate edge case

opengovsg · Mar 2, 2021 · 142558c · 142558c
1 parent 549ae2d
commit 142558c
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 9 deletions.
diff --git a/src/server/config.ts b/src/server/config.ts
@@ -182,13 +182,14 @@ export const cspOnlyReportViolations =
   process.env.CSP_ONLY_REPORT_VIOLATIONS === 'true'
 export const cspReportUri = process.env.CSP_REPORT_URI
 
+// Allow announcement modals to use file links for images.
 const cspImageBucketMap: { [key: string]: string } = {
   'https://go.gov.sg': 'https://file.go.gov.sg/',
   'https://staging.go.gov.sg': 'https://file-staging.go.gov.sg/',
   'https://golink.edu.sg': 'https://file.golink.edu.sg/',
   'https://staging.golink.edu.sg': 'https://file-staging.golink.edu.sg/',
 }
-export const cspImageBucket = cspImageBucketMap[ogUrl]
+export const cspImageBucket: string | undefined = cspImageBucketMap[ogUrl]
 
 export const safeBrowsingLogOnly = process.env.SAFE_BROWSING_LOG_ONLY === 'true'
 

diff --git a/src/server/index.ts b/src/server/index.ts
@@ -81,6 +81,16 @@ if (cspReportUri) {
 if (sentryDns) {
   connectSrc.push(parseDomain(sentryDns))
 }
+const imgSrc = [
+  "'self'",
+  'data:',
+  'https://www.google-analytics.com/',
+  'https://www.googletagmanager.com/',
+  'https://stats.g.doubleclick.net/',
+]
+if (cspImageBucket) {
+  imgSrc.push(cspImageBucket)
+}
 
 const app = express()
 app.use(
@@ -99,14 +109,7 @@ app.use(
           'https://fonts.gstatic.com/',
           'https://cdn.jsdelivr.net/',
         ],
-        imgSrc: [
-          "'self'",
-          'data:',
-          'https://www.google-analytics.com/',
-          'https://www.googletagmanager.com/',
-          'https://stats.g.doubleclick.net/',
-          cspImageBucket,
-        ],
+        imgSrc,
         scriptSrc: [
           "'self'",
           'https://www.google-analytics.com/',