Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ZAP Error Fixes - Define CSP #543

Open
wants to merge 12 commits into
base: dev
Choose a base branch
from
Open

ZAP Error Fixes - Define CSP #543

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
1ee64c9
added strict csp scripts
CurtisUnderwood Aug 12, 2022
6c61492
added csp
CurtisUnderwood Aug 15, 2022
3669838
fixed tests
CurtisUnderwood Aug 16, 2022
8adda36
Merge branch 'dev' into zap-define-csp
CurtisUnderwood Aug 16, 2022
d55dd0e
added unsafeinline styles
CurtisUnderwood Aug 16, 2022
a2fbe01
moved csp into header
CurtisUnderwood Aug 16, 2022
5aeefef
redeploy
CurtisUnderwood Aug 16, 2022
0128818
cleanup
CurtisUnderwood Aug 16, 2022
8b20f3f
fixed suggestions
CurtisUnderwood Aug 17, 2022
a98950f
Merge branch 'dev' into zap-define-csp
CurtisUnderwood Sep 7, 2022
e23e04a
removed dangerousinsethtml
CurtisUnderwood Sep 7, 2022
6ab2745
moved csp to config
CurtisUnderwood Sep 8, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions __tests__/pages/_document.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,16 @@
import '@testing-library/jest-dom'
import MyDocument from '../../pages/_document'
import * as utils from '../../lib/Utils.js'
CurtisUnderwood marked this conversation as resolved.
Show resolved Hide resolved

describe('_document', () => {
jest.spyOn(utils, 'generateNonce').mockReturnValue('test')
CurtisUnderwood marked this conversation as resolved.
Show resolved Hide resolved
it('returns initialProps', async () => {
const props = { html: 'html', head: 'head', styles: 'styles' }
const props = {
html: 'html',
head: 'head',
styles: 'styles',
nonce: 'test',
}
const result = await MyDocument.getInitialProps({
defaultGetInitialProps: async (docCtx, options = {}) => {
return props
Expand All @@ -13,7 +20,7 @@ describe('_document', () => {
})

it('renders', () => {
const sut = new MyDocument()
const sut = new MyDocument({ nonce: 'test' })
const result = sut.render()
expect(result).toBeTruthy()
})
Expand Down
6 changes: 6 additions & 0 deletions lib/Utils.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,3 +39,9 @@ export function getGreeting(time) {
return 'greeting'
}
}

import crypto from 'crypto'
CurtisUnderwood marked this conversation as resolved.
Show resolved Hide resolved

export function generateNonce() {
return crypto.randomBytes(16).toString('base64')
}
4 changes: 0 additions & 4 deletions next.config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,6 @@ const securityHeaders = [
key: 'Referrer-Policy',
value: 'same-origin',
},
{
key: 'Content-Security-Policy',
value: `frame-ancestors 'self'`,
},
{
key: 'X-Frame-Options',
value: 'SAMEORIGIN',
Expand Down
33 changes: 30 additions & 3 deletions pages/_document.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,27 +1,54 @@
import Document, { Html, Head, Main, NextScript } from 'next/document'
import { generateNonce } from '../lib/Utils.js'
CurtisUnderwood marked this conversation as resolved.
Show resolved Hide resolved
import Script from 'next/script'

class MyDocument extends Document {
static async getInitialProps(ctx) {
const nonce = generateNonce()
const initialProps = await Document.getInitialProps(ctx)
return { ...initialProps }
//set csp
let csp = ``
csp += `base-uri 'self';`
csp += `form-action 'self';`
csp += `default-src 'self';`
csp += `script-src 'self' 'nonce-${nonce}' 'unsafe-eval';`
csp += `style-src 'self' https://fonts.googleapis.com 'unsafe-inline';`
csp += `img-src 'self' data: blob:;`
csp += `font-src 'self' https://fonts.gstatic.com data:;`
csp += `frame-ancestors 'self';`

if (ctx.res) {
ctx.res.setHeader('Content-Security-Policy', csp)
}

return { ...initialProps, nonce }
CurtisUnderwood marked this conversation as resolved.
Show resolved Hide resolved
}

render() {
const { nonce } = this.props
return (
<Html className="no-js" dir="ltr" xmlns="http://www.w3.org/1999/xhtml">
<Head prefix="og:http://ogp.me/ns#"></Head>
<Head nonce={nonce} prefix="og:http://ogp.me/ns#"></Head>
<body>
<Main />
<NextScript />
<NextScript nonce={nonce} />
<script
async
src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"
nonce={nonce}
dangerouslySetInnerHTML={{
__html: `window.__webpack_nonce__ = "${nonce}"`,
}}
></script>
{process.env.NEXT_PUBLIC_ADOBE_ANALYTICS_URL ? (
<Script
id="1"
strategy="beforeInteractive"
src={process.env.NEXT_PUBLIC_ADOBE_ANALYTICS_URL}
nonce={nonce}
dangerouslySetInnerHTML={{
CurtisUnderwood marked this conversation as resolved.
Show resolved Hide resolved
__html: `window.__webpack_nonce__ = "${nonce}"`,
}}
/>
) : null}
</body>
Expand Down