0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2024-12-16 20:26:19 -05:00

fix: use only necessary domains in CSP (#3864)

This commit is contained in:
Gao Sun 2023-05-18 18:12:31 +08:00 committed by GitHub
parent 497d5b5262
commit 7a3be91e35
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 27 deletions

View file

@ -34,7 +34,7 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
const adminOrigins = adminUrlSet.origins;
const cloudOrigins = cloudUrlSet.origins;
const urlSetOrigins = urlSet.origins;
const coreOrigins = urlSet.origins;
const developmentOrigins = conditionalArray(!isProduction && 'ws:');
const appInsightsOrigins = ['https://*.applicationinsights.azure.com'];
@ -94,11 +94,11 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
"'self'",
...adminOrigins,
...cloudOrigins,
...urlSetOrigins,
...coreOrigins,
...developmentOrigins,
...appInsightsOrigins,
],
frameSrc: ["'self'", ...urlSetOrigins, ...adminOrigins],
frameSrc: ["'self'", ...coreOrigins, ...adminOrigins],
},
},
},

View file

@ -1,7 +1,6 @@
import { type IncomingMessage, type ServerResponse } from 'node:http';
import { promisify } from 'node:util';
import { defaultTenantId } from '@logto/schemas';
import { conditionalArray } from '@silverhand/essentials';
import helmet, { type HelmetOptions } from 'helmet';
import type { MiddlewareType } from 'koa';
@ -31,14 +30,12 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
mountedApps: string[],
tenantId: string
): MiddlewareType<StateT, ContextT, ResponseBodyT> {
const { isProduction, isCloud, isMultiTenancy, adminUrlSet, cloudUrlSet } = EnvSet.values;
const { isProduction, isCloud, urlSet, adminUrlSet, cloudUrlSet } = EnvSet.values;
const adminOrigins = adminUrlSet.origins;
const cloudOrigins = conditionalArray(isCloud && cloudUrlSet.origins);
const tenantEndpointOrigin = getTenantEndpoint(
isMultiTenancy ? tenantId : defaultTenantId,
EnvSet.values
).origin;
const tenantEndpointOrigin = getTenantEndpoint(tenantId, EnvSet.values).origin;
// Logto Cloud uses cloud service to serve the admin console; while Logto OSS uses a fixed path under the admin URL set.
const adminOrigins = isCloud ? cloudUrlSet.origins : adminUrlSet.origins;
const coreOrigins = urlSet.origins;
const developmentOrigins = conditionalArray(!isProduction && 'ws:');
const appInsightsOrigins = ['https://*.applicationinsights.azure.com'];
@ -80,17 +77,11 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
'upgrade-insecure-requests': null,
imgSrc: ["'self'", 'data:', 'https:'],
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
connectSrc: [
"'self'",
...adminOrigins,
...cloudOrigins,
...developmentOrigins,
...appInsightsOrigins,
],
connectSrc: ["'self'", tenantEndpointOrigin, ...developmentOrigins, ...appInsightsOrigins],
// WARNING: high risk Need to allow self hosted terms of use page loaded in an iframe
frameSrc: ["'self'", 'https:'],
// Alow loaded by console preview iframe
frameAncestors: ["'self'", ...adminOrigins, ...cloudOrigins],
frameAncestors: ["'self'", ...adminOrigins],
},
},
};
@ -105,15 +96,9 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
'upgrade-insecure-requests': null,
imgSrc: ["'self'", 'data:', 'https:'],
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
connectSrc: [
"'self'",
tenantEndpointOrigin,
...adminOrigins,
...cloudOrigins,
...developmentOrigins,
],
connectSrc: ["'self'", ...adminOrigins, ...coreOrigins, ...developmentOrigins],
// Allow Main Flow origin loaded in preview iframe
frameSrc: ["'self'", tenantEndpointOrigin],
frameSrc: ["'self'", ...adminOrigins, ...coreOrigins],
},
},
};