Hardening of CSP (#7621)

dapps/src/handlers/mod.rs

@@ -47,6 +47,8 @@ pub fn add_security_headers(headers: &mut header::Headers, embeddable_on: Embedd
 
 	// Content Security Policy headers
 	headers.set_raw("Content-Security-Policy", String::new()
+		// Restrict everything to the same origin by default.
+		+ "default-src 'self';"
 		// Allow connecting to WS servers and HTTP(S) servers.
 		// We could be more restrictive and allow only RPC server URL.
 		+ "connect-src http: https: ws: wss:;"
@@ -64,7 +66,9 @@ pub fn add_security_headers(headers: &mut header::Headers, embeddable_on: Embedd
 		+ "style-src 'self' 'unsafe-inline' data: blob: https:;"
 		// Allow fonts from data: and HTTPS.
 		+ "font-src 'self' data: https:;"
-		// Allow inline scripts and scripts eval (webpack/jsconsole)
+		// Disallow objects
+		+ "object-src 'none';"
+		// Allow scripts
 		+ {
 			let script_src = embeddable_on.as_ref()
 				.map(|e| e.extra_script_src.iter()
@@ -72,18 +76,16 @@ pub fn add_security_headers(headers: &mut header::Headers, embeddable_on: Embedd
 					 .join(" ")
 				).unwrap_or_default();
 			&format!(
-				"script-src 'self' 'unsafe-inline' 'unsafe-eval' {};",
+				"script-src 'self' {};",
 				script_src
 			)
 		}
 		// Same restrictions as script-src with additional
 		// blob: that is required for camera access (worker)
-		+ "worker-src 'self' 'unsafe-inline' 'unsafe-eval' https: blob:;"
-		// Restrict everything else to the same origin.
-		+ "default-src 'self';"
+		+ "worker-src 'self' https: blob:;"
 		// Run in sandbox mode (although it's not fully safe since we allow same-origin and script)
 		+ "sandbox allow-same-origin allow-forms allow-modals allow-popups allow-presentation allow-scripts;"
-		// Disallow subitting forms from any dapps
+		// Disallow submitting forms from any dapps
 		+ "form-action 'none';"
 		// Never allow mixed content
 		+ "block-all-mixed-content;"

js/package.json

@@ -170,7 +170,6 @@
     "redux": "3.7.2",
     "semantic-ui-react": "0.77.0",
     "solc": "ngotchac/solc-js",
-    "store": "1.3.20",
-    "web3": "1.0.0-beta.26"
+    "store": "1.3.20"
   }
 }

js/src/inject.js

@@ -16,7 +16,6 @@
 
 import Api from '@parity/api';
 import qs from 'query-string';
-import Web3 from 'web3';
 
 function initProvider () {
   const path = window.location.pathname.split('/');
@@ -48,24 +47,9 @@ function initProvider () {
 }
 
 function initWeb3 (ethereum) {
-  // FIXME: Use standard provider for web3
-  const provider = new Api.Provider.SendAsync(ethereum);
-  const web3 = new Web3(provider);
+  const currentProvider = new Api.Provider.SendAsync(ethereum);
 
-  if (!web3.currentProvider) {
-    web3.currentProvider = provider;
-  }
-
-  // set default account
-  web3.eth.getAccounts((error, accounts) => {
-    if (error || !accounts || !accounts[0]) {
-      return;
-    }
-
-    web3.eth.defaultAccount = accounts[0];
-  });
-
-  window.web3 = web3;
+  window.web3 = { currentProvider };
 }
 
 function initParity (ethereum) {

parity/configuration.rs

@@ -584,7 +584,12 @@ impl Configuration {
 				let mut extra_embed = dev_ui.clone();
 				match self.ui_hosts() {
 					// In case host validation is disabled allow all frame ancestors
-					None => extra_embed.push(("*".to_owned(), ui_port)),
+					None => {
+						// NOTE Chrome does not seem to support "*:<port>"
+						// we use `http(s)://*:<port>` instead.
+						extra_embed.push(("http://*".to_owned(), ui_port));
+						extra_embed.push(("https://*".to_owned(), ui_port));
+					},
 					Some(hosts) => extra_embed.extend(hosts.into_iter().filter_map(|host| {
 						let mut it = host.split(":");
 						let host = it.next();