Hardening of CSP (#7621)
This commit is contained in:
parent
f8bf7e7d41
commit
58645d3908
@ -47,6 +47,8 @@ pub fn add_security_headers(headers: &mut header::Headers, embeddable_on: Embedd
|
||||
|
||||
// Content Security Policy headers
|
||||
headers.set_raw("Content-Security-Policy", String::new()
|
||||
// Restrict everything to the same origin by default.
|
||||
+ "default-src 'self';"
|
||||
// Allow connecting to WS servers and HTTP(S) servers.
|
||||
// We could be more restrictive and allow only RPC server URL.
|
||||
+ "connect-src http: https: ws: wss:;"
|
||||
@ -64,7 +66,9 @@ pub fn add_security_headers(headers: &mut header::Headers, embeddable_on: Embedd
|
||||
+ "style-src 'self' 'unsafe-inline' data: blob: https:;"
|
||||
// Allow fonts from data: and HTTPS.
|
||||
+ "font-src 'self' data: https:;"
|
||||
// Allow inline scripts and scripts eval (webpack/jsconsole)
|
||||
// Disallow objects
|
||||
+ "object-src 'none';"
|
||||
// Allow scripts
|
||||
+ {
|
||||
let script_src = embeddable_on.as_ref()
|
||||
.map(|e| e.extra_script_src.iter()
|
||||
@ -72,18 +76,16 @@ pub fn add_security_headers(headers: &mut header::Headers, embeddable_on: Embedd
|
||||
.join(" ")
|
||||
).unwrap_or_default();
|
||||
&format!(
|
||||
"script-src 'self' 'unsafe-inline' 'unsafe-eval' {};",
|
||||
"script-src 'self' {};",
|
||||
script_src
|
||||
)
|
||||
}
|
||||
// Same restrictions as script-src with additional
|
||||
// blob: that is required for camera access (worker)
|
||||
+ "worker-src 'self' 'unsafe-inline' 'unsafe-eval' https: blob:;"
|
||||
// Restrict everything else to the same origin.
|
||||
+ "default-src 'self';"
|
||||
+ "worker-src 'self' https: blob:;"
|
||||
// Run in sandbox mode (although it's not fully safe since we allow same-origin and script)
|
||||
+ "sandbox allow-same-origin allow-forms allow-modals allow-popups allow-presentation allow-scripts;"
|
||||
// Disallow subitting forms from any dapps
|
||||
// Disallow submitting forms from any dapps
|
||||
+ "form-action 'none';"
|
||||
// Never allow mixed content
|
||||
+ "block-all-mixed-content;"
|
||||
|
1504
js/package-lock.json
generated
1504
js/package-lock.json
generated
File diff suppressed because it is too large
Load Diff
@ -170,7 +170,6 @@
|
||||
"redux": "3.7.2",
|
||||
"semantic-ui-react": "0.77.0",
|
||||
"solc": "ngotchac/solc-js",
|
||||
"store": "1.3.20",
|
||||
"web3": "1.0.0-beta.26"
|
||||
"store": "1.3.20"
|
||||
}
|
||||
}
|
||||
|
@ -16,7 +16,6 @@
|
||||
|
||||
import Api from '@parity/api';
|
||||
import qs from 'query-string';
|
||||
import Web3 from 'web3';
|
||||
|
||||
function initProvider () {
|
||||
const path = window.location.pathname.split('/');
|
||||
@ -48,24 +47,9 @@ function initProvider () {
|
||||
}
|
||||
|
||||
function initWeb3 (ethereum) {
|
||||
// FIXME: Use standard provider for web3
|
||||
const provider = new Api.Provider.SendAsync(ethereum);
|
||||
const web3 = new Web3(provider);
|
||||
const currentProvider = new Api.Provider.SendAsync(ethereum);
|
||||
|
||||
if (!web3.currentProvider) {
|
||||
web3.currentProvider = provider;
|
||||
}
|
||||
|
||||
// set default account
|
||||
web3.eth.getAccounts((error, accounts) => {
|
||||
if (error || !accounts || !accounts[0]) {
|
||||
return;
|
||||
}
|
||||
|
||||
web3.eth.defaultAccount = accounts[0];
|
||||
});
|
||||
|
||||
window.web3 = web3;
|
||||
window.web3 = { currentProvider };
|
||||
}
|
||||
|
||||
function initParity (ethereum) {
|
||||
|
@ -584,7 +584,12 @@ impl Configuration {
|
||||
let mut extra_embed = dev_ui.clone();
|
||||
match self.ui_hosts() {
|
||||
// In case host validation is disabled allow all frame ancestors
|
||||
None => extra_embed.push(("*".to_owned(), ui_port)),
|
||||
None => {
|
||||
// NOTE Chrome does not seem to support "*:<port>"
|
||||
// we use `http(s)://*:<port>` instead.
|
||||
extra_embed.push(("http://*".to_owned(), ui_port));
|
||||
extra_embed.push(("https://*".to_owned(), ui_port));
|
||||
},
|
||||
Some(hosts) => extra_embed.extend(hosts.into_iter().filter_map(|host| {
|
||||
let mut it = host.split(":");
|
||||
let host = it.next();
|
||||
|
Loading…
Reference in New Issue
Block a user