Hardening of CSP (#7621)

This commit is contained in:
Tomasz Drwięga 2018-01-19 10:38:00 +01:00 committed by Marek Kotewicz
parent f8bf7e7d41
commit 58645d3908
5 changed files with 219 additions and 1329 deletions

View File

@ -47,6 +47,8 @@ pub fn add_security_headers(headers: &mut header::Headers, embeddable_on: Embedd
// Content Security Policy headers // Content Security Policy headers
headers.set_raw("Content-Security-Policy", String::new() headers.set_raw("Content-Security-Policy", String::new()
// Restrict everything to the same origin by default.
+ "default-src 'self';"
// Allow connecting to WS servers and HTTP(S) servers. // Allow connecting to WS servers and HTTP(S) servers.
// We could be more restrictive and allow only RPC server URL. // We could be more restrictive and allow only RPC server URL.
+ "connect-src http: https: ws: wss:;" + "connect-src http: https: ws: wss:;"
@ -64,7 +66,9 @@ pub fn add_security_headers(headers: &mut header::Headers, embeddable_on: Embedd
+ "style-src 'self' 'unsafe-inline' data: blob: https:;" + "style-src 'self' 'unsafe-inline' data: blob: https:;"
// Allow fonts from data: and HTTPS. // Allow fonts from data: and HTTPS.
+ "font-src 'self' data: https:;" + "font-src 'self' data: https:;"
// Allow inline scripts and scripts eval (webpack/jsconsole) // Disallow objects
+ "object-src 'none';"
// Allow scripts
+ { + {
let script_src = embeddable_on.as_ref() let script_src = embeddable_on.as_ref()
.map(|e| e.extra_script_src.iter() .map(|e| e.extra_script_src.iter()
@ -72,18 +76,16 @@ pub fn add_security_headers(headers: &mut header::Headers, embeddable_on: Embedd
.join(" ") .join(" ")
).unwrap_or_default(); ).unwrap_or_default();
&format!( &format!(
"script-src 'self' 'unsafe-inline' 'unsafe-eval' {};", "script-src 'self' {};",
script_src script_src
) )
} }
// Same restrictions as script-src with additional // Same restrictions as script-src with additional
// blob: that is required for camera access (worker) // blob: that is required for camera access (worker)
+ "worker-src 'self' 'unsafe-inline' 'unsafe-eval' https: blob:;" + "worker-src 'self' https: blob:;"
// Restrict everything else to the same origin.
+ "default-src 'self';"
// Run in sandbox mode (although it's not fully safe since we allow same-origin and script) // Run in sandbox mode (although it's not fully safe since we allow same-origin and script)
+ "sandbox allow-same-origin allow-forms allow-modals allow-popups allow-presentation allow-scripts;" + "sandbox allow-same-origin allow-forms allow-modals allow-popups allow-presentation allow-scripts;"
// Disallow subitting forms from any dapps // Disallow submitting forms from any dapps
+ "form-action 'none';" + "form-action 'none';"
// Never allow mixed content // Never allow mixed content
+ "block-all-mixed-content;" + "block-all-mixed-content;"

1504
js/package-lock.json generated

File diff suppressed because it is too large Load Diff

View File

@ -170,7 +170,6 @@
"redux": "3.7.2", "redux": "3.7.2",
"semantic-ui-react": "0.77.0", "semantic-ui-react": "0.77.0",
"solc": "ngotchac/solc-js", "solc": "ngotchac/solc-js",
"store": "1.3.20", "store": "1.3.20"
"web3": "1.0.0-beta.26"
} }
} }

View File

@ -16,7 +16,6 @@
import Api from '@parity/api'; import Api from '@parity/api';
import qs from 'query-string'; import qs from 'query-string';
import Web3 from 'web3';
function initProvider () { function initProvider () {
const path = window.location.pathname.split('/'); const path = window.location.pathname.split('/');
@ -48,24 +47,9 @@ function initProvider () {
} }
function initWeb3 (ethereum) { function initWeb3 (ethereum) {
// FIXME: Use standard provider for web3 const currentProvider = new Api.Provider.SendAsync(ethereum);
const provider = new Api.Provider.SendAsync(ethereum);
const web3 = new Web3(provider);
if (!web3.currentProvider) { window.web3 = { currentProvider };
web3.currentProvider = provider;
}
// set default account
web3.eth.getAccounts((error, accounts) => {
if (error || !accounts || !accounts[0]) {
return;
}
web3.eth.defaultAccount = accounts[0];
});
window.web3 = web3;
} }
function initParity (ethereum) { function initParity (ethereum) {

View File

@ -584,7 +584,12 @@ impl Configuration {
let mut extra_embed = dev_ui.clone(); let mut extra_embed = dev_ui.clone();
match self.ui_hosts() { match self.ui_hosts() {
// In case host validation is disabled allow all frame ancestors // In case host validation is disabled allow all frame ancestors
None => extra_embed.push(("*".to_owned(), ui_port)), None => {
// NOTE Chrome does not seem to support "*:<port>"
// we use `http(s)://*:<port>` instead.
extra_embed.push(("http://*".to_owned(), ui_port));
extra_embed.push(("https://*".to_owned(), ui_port));
},
Some(hosts) => extra_embed.extend(hosts.into_iter().filter_map(|host| { Some(hosts) => extra_embed.extend(hosts.into_iter().filter_map(|host| {
let mut it = host.split(":"); let mut it = host.split(":");
let host = it.next(); let host = it.next();