0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2024-12-16 20:26:19 -05:00

fix: use only necessary domains in CSP (#3864)

This commit is contained in:
Gao Sun 2023-05-18 18:12:31 +08:00 committed by GitHub
parent 497d5b5262
commit 7a3be91e35
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 27 deletions

View file

@ -34,7 +34,7 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
const adminOrigins = adminUrlSet.origins; const adminOrigins = adminUrlSet.origins;
const cloudOrigins = cloudUrlSet.origins; const cloudOrigins = cloudUrlSet.origins;
const urlSetOrigins = urlSet.origins; const coreOrigins = urlSet.origins;
const developmentOrigins = conditionalArray(!isProduction && 'ws:'); const developmentOrigins = conditionalArray(!isProduction && 'ws:');
const appInsightsOrigins = ['https://*.applicationinsights.azure.com']; const appInsightsOrigins = ['https://*.applicationinsights.azure.com'];
@ -94,11 +94,11 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
"'self'", "'self'",
...adminOrigins, ...adminOrigins,
...cloudOrigins, ...cloudOrigins,
...urlSetOrigins, ...coreOrigins,
...developmentOrigins, ...developmentOrigins,
...appInsightsOrigins, ...appInsightsOrigins,
], ],
frameSrc: ["'self'", ...urlSetOrigins, ...adminOrigins], frameSrc: ["'self'", ...coreOrigins, ...adminOrigins],
}, },
}, },
}, },

View file

@ -1,7 +1,6 @@
import { type IncomingMessage, type ServerResponse } from 'node:http'; import { type IncomingMessage, type ServerResponse } from 'node:http';
import { promisify } from 'node:util'; import { promisify } from 'node:util';
import { defaultTenantId } from '@logto/schemas';
import { conditionalArray } from '@silverhand/essentials'; import { conditionalArray } from '@silverhand/essentials';
import helmet, { type HelmetOptions } from 'helmet'; import helmet, { type HelmetOptions } from 'helmet';
import type { MiddlewareType } from 'koa'; import type { MiddlewareType } from 'koa';
@ -31,14 +30,12 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
mountedApps: string[], mountedApps: string[],
tenantId: string tenantId: string
): MiddlewareType<StateT, ContextT, ResponseBodyT> { ): MiddlewareType<StateT, ContextT, ResponseBodyT> {
const { isProduction, isCloud, isMultiTenancy, adminUrlSet, cloudUrlSet } = EnvSet.values; const { isProduction, isCloud, urlSet, adminUrlSet, cloudUrlSet } = EnvSet.values;
const adminOrigins = adminUrlSet.origins; const tenantEndpointOrigin = getTenantEndpoint(tenantId, EnvSet.values).origin;
const cloudOrigins = conditionalArray(isCloud && cloudUrlSet.origins); // Logto Cloud uses cloud service to serve the admin console; while Logto OSS uses a fixed path under the admin URL set.
const tenantEndpointOrigin = getTenantEndpoint( const adminOrigins = isCloud ? cloudUrlSet.origins : adminUrlSet.origins;
isMultiTenancy ? tenantId : defaultTenantId, const coreOrigins = urlSet.origins;
EnvSet.values
).origin;
const developmentOrigins = conditionalArray(!isProduction && 'ws:'); const developmentOrigins = conditionalArray(!isProduction && 'ws:');
const appInsightsOrigins = ['https://*.applicationinsights.azure.com']; const appInsightsOrigins = ['https://*.applicationinsights.azure.com'];
@ -80,17 +77,11 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
'upgrade-insecure-requests': null, 'upgrade-insecure-requests': null,
imgSrc: ["'self'", 'data:', 'https:'], imgSrc: ["'self'", 'data:', 'https:'],
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"], scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
connectSrc: [ connectSrc: ["'self'", tenantEndpointOrigin, ...developmentOrigins, ...appInsightsOrigins],
"'self'",
...adminOrigins,
...cloudOrigins,
...developmentOrigins,
...appInsightsOrigins,
],
// WARNING: high risk Need to allow self hosted terms of use page loaded in an iframe // WARNING: high risk Need to allow self hosted terms of use page loaded in an iframe
frameSrc: ["'self'", 'https:'], frameSrc: ["'self'", 'https:'],
// Alow loaded by console preview iframe // Alow loaded by console preview iframe
frameAncestors: ["'self'", ...adminOrigins, ...cloudOrigins], frameAncestors: ["'self'", ...adminOrigins],
}, },
}, },
}; };
@ -105,15 +96,9 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
'upgrade-insecure-requests': null, 'upgrade-insecure-requests': null,
imgSrc: ["'self'", 'data:', 'https:'], imgSrc: ["'self'", 'data:', 'https:'],
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"], scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
connectSrc: [ connectSrc: ["'self'", ...adminOrigins, ...coreOrigins, ...developmentOrigins],
"'self'",
tenantEndpointOrigin,
...adminOrigins,
...cloudOrigins,
...developmentOrigins,
],
// Allow Main Flow origin loaded in preview iframe // Allow Main Flow origin loaded in preview iframe
frameSrc: ["'self'", tenantEndpointOrigin], frameSrc: ["'self'", ...adminOrigins, ...coreOrigins],
}, },
}, },
}; };