Hardening of CSP (#7621)
This commit is contained in:
parent
f8bf7e7d41
commit
58645d3908
@ -47,6 +47,8 @@ pub fn add_security_headers(headers: &mut header::Headers, embeddable_on: Embedd
|
|||||||
|
|
||||||
// Content Security Policy headers
|
// Content Security Policy headers
|
||||||
headers.set_raw("Content-Security-Policy", String::new()
|
headers.set_raw("Content-Security-Policy", String::new()
|
||||||
|
// Restrict everything to the same origin by default.
|
||||||
|
+ "default-src 'self';"
|
||||||
// Allow connecting to WS servers and HTTP(S) servers.
|
// Allow connecting to WS servers and HTTP(S) servers.
|
||||||
// We could be more restrictive and allow only RPC server URL.
|
// We could be more restrictive and allow only RPC server URL.
|
||||||
+ "connect-src http: https: ws: wss:;"
|
+ "connect-src http: https: ws: wss:;"
|
||||||
@ -64,7 +66,9 @@ pub fn add_security_headers(headers: &mut header::Headers, embeddable_on: Embedd
|
|||||||
+ "style-src 'self' 'unsafe-inline' data: blob: https:;"
|
+ "style-src 'self' 'unsafe-inline' data: blob: https:;"
|
||||||
// Allow fonts from data: and HTTPS.
|
// Allow fonts from data: and HTTPS.
|
||||||
+ "font-src 'self' data: https:;"
|
+ "font-src 'self' data: https:;"
|
||||||
// Allow inline scripts and scripts eval (webpack/jsconsole)
|
// Disallow objects
|
||||||
|
+ "object-src 'none';"
|
||||||
|
// Allow scripts
|
||||||
+ {
|
+ {
|
||||||
let script_src = embeddable_on.as_ref()
|
let script_src = embeddable_on.as_ref()
|
||||||
.map(|e| e.extra_script_src.iter()
|
.map(|e| e.extra_script_src.iter()
|
||||||
@ -72,18 +76,16 @@ pub fn add_security_headers(headers: &mut header::Headers, embeddable_on: Embedd
|
|||||||
.join(" ")
|
.join(" ")
|
||||||
).unwrap_or_default();
|
).unwrap_or_default();
|
||||||
&format!(
|
&format!(
|
||||||
"script-src 'self' 'unsafe-inline' 'unsafe-eval' {};",
|
"script-src 'self' {};",
|
||||||
script_src
|
script_src
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
// Same restrictions as script-src with additional
|
// Same restrictions as script-src with additional
|
||||||
// blob: that is required for camera access (worker)
|
// blob: that is required for camera access (worker)
|
||||||
+ "worker-src 'self' 'unsafe-inline' 'unsafe-eval' https: blob:;"
|
+ "worker-src 'self' https: blob:;"
|
||||||
// Restrict everything else to the same origin.
|
|
||||||
+ "default-src 'self';"
|
|
||||||
// Run in sandbox mode (although it's not fully safe since we allow same-origin and script)
|
// Run in sandbox mode (although it's not fully safe since we allow same-origin and script)
|
||||||
+ "sandbox allow-same-origin allow-forms allow-modals allow-popups allow-presentation allow-scripts;"
|
+ "sandbox allow-same-origin allow-forms allow-modals allow-popups allow-presentation allow-scripts;"
|
||||||
// Disallow subitting forms from any dapps
|
// Disallow submitting forms from any dapps
|
||||||
+ "form-action 'none';"
|
+ "form-action 'none';"
|
||||||
// Never allow mixed content
|
// Never allow mixed content
|
||||||
+ "block-all-mixed-content;"
|
+ "block-all-mixed-content;"
|
||||||
|
1504
js/package-lock.json
generated
1504
js/package-lock.json
generated
File diff suppressed because it is too large
Load Diff
@ -170,7 +170,6 @@
|
|||||||
"redux": "3.7.2",
|
"redux": "3.7.2",
|
||||||
"semantic-ui-react": "0.77.0",
|
"semantic-ui-react": "0.77.0",
|
||||||
"solc": "ngotchac/solc-js",
|
"solc": "ngotchac/solc-js",
|
||||||
"store": "1.3.20",
|
"store": "1.3.20"
|
||||||
"web3": "1.0.0-beta.26"
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -16,7 +16,6 @@
|
|||||||
|
|
||||||
import Api from '@parity/api';
|
import Api from '@parity/api';
|
||||||
import qs from 'query-string';
|
import qs from 'query-string';
|
||||||
import Web3 from 'web3';
|
|
||||||
|
|
||||||
function initProvider () {
|
function initProvider () {
|
||||||
const path = window.location.pathname.split('/');
|
const path = window.location.pathname.split('/');
|
||||||
@ -48,24 +47,9 @@ function initProvider () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function initWeb3 (ethereum) {
|
function initWeb3 (ethereum) {
|
||||||
// FIXME: Use standard provider for web3
|
const currentProvider = new Api.Provider.SendAsync(ethereum);
|
||||||
const provider = new Api.Provider.SendAsync(ethereum);
|
|
||||||
const web3 = new Web3(provider);
|
|
||||||
|
|
||||||
if (!web3.currentProvider) {
|
window.web3 = { currentProvider };
|
||||||
web3.currentProvider = provider;
|
|
||||||
}
|
|
||||||
|
|
||||||
// set default account
|
|
||||||
web3.eth.getAccounts((error, accounts) => {
|
|
||||||
if (error || !accounts || !accounts[0]) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
web3.eth.defaultAccount = accounts[0];
|
|
||||||
});
|
|
||||||
|
|
||||||
window.web3 = web3;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function initParity (ethereum) {
|
function initParity (ethereum) {
|
||||||
|
@ -584,7 +584,12 @@ impl Configuration {
|
|||||||
let mut extra_embed = dev_ui.clone();
|
let mut extra_embed = dev_ui.clone();
|
||||||
match self.ui_hosts() {
|
match self.ui_hosts() {
|
||||||
// In case host validation is disabled allow all frame ancestors
|
// In case host validation is disabled allow all frame ancestors
|
||||||
None => extra_embed.push(("*".to_owned(), ui_port)),
|
None => {
|
||||||
|
// NOTE Chrome does not seem to support "*:<port>"
|
||||||
|
// we use `http(s)://*:<port>` instead.
|
||||||
|
extra_embed.push(("http://*".to_owned(), ui_port));
|
||||||
|
extra_embed.push(("https://*".to_owned(), ui_port));
|
||||||
|
},
|
||||||
Some(hosts) => extra_embed.extend(hosts.into_iter().filter_map(|host| {
|
Some(hosts) => extra_embed.extend(hosts.into_iter().filter_map(|host| {
|
||||||
let mut it = host.split(":");
|
let mut it = host.split(":");
|
||||||
let host = it.next();
|
let host = it.next();
|
||||||
|
Loading…
Reference in New Issue
Block a user