disable CSP for /report.html (#151)

* disable CSP for /report.html

Fixes #150

* enable minimal helmet() for debug paths
This commit is contained in:
Nolan Lawson 2018-04-17 18:38:14 -07:00 committed by GitHub
parent 61b3b9ea75
commit 4b2e3f030a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 5 deletions

View File

@ -12,13 +12,27 @@ const { PORT = 4002 } = process.env
// this allows us to do e.g. `fetch('/_api/blog')` on the server // this allows us to do e.g. `fetch('/_api/blog')` on the server
const fetch = require('node-fetch') const fetch = require('node-fetch')
global.fetch = (url, opts) => { global.fetch = (url, opts) => {
if (url[0] === '/') url = `http://localhost:${PORT}${url}` if (url[0] === '/') {
url = `http://localhost:${PORT}${url}`
}
return fetch(url, opts) return fetch(url, opts)
} }
const debugPaths = ['/report.html', '/stats.json']
const debugOnly = (fn) => (req, res, next) => (
!~debugPaths.indexOf(req.path) ? next() : fn(req, res, next)
)
const nonDebugOnly = (fn) => (req, res, next) => (
~debugPaths.indexOf(req.path) ? next() : fn(req, res, next)
)
app.use(compression({ threshold: 0 })) app.use(compression({ threshold: 0 }))
app.use(helmet({ // report.html needs to have CSP disable because it has inline scripts
app.use(debugOnly(helmet()))
app.use(nonDebugOnly(helmet({
contentSecurityPolicy: { contentSecurityPolicy: {
directives: { directives: {
scriptSrc: [`'self'`, `'sha256-${headScriptChecksum}'`], scriptSrc: [`'self'`, `'sha256-${headScriptChecksum}'`],
@ -29,7 +43,7 @@ app.use(helmet({
manifestSrc: [`'self'`] manifestSrc: [`'self'`]
} }
} }
})) })))
app.use(serveStatic('assets', { app.use(serveStatic('assets', {
setHeaders: (res) => { setHeaders: (res) => {
@ -37,8 +51,9 @@ app.use(serveStatic('assets', {
} }
})) }))
app.use('/report.html', express.static('.sapper/client/report.html')) debugPaths.forEach(debugPath => {
app.use('/stats.json', express.static('.sapper/client/stats.json')) app.use(debugPath, express.static(`.sapper/client${debugPath}`))
})
app.use(sapper()) app.use(sapper())