mirror of
https://github.com/logto-io/logto.git
synced 2024-12-16 20:26:19 -05:00
fix: use only necessary domains in CSP (#3864)
This commit is contained in:
parent
497d5b5262
commit
7a3be91e35
2 changed files with 12 additions and 27 deletions
|
@ -34,7 +34,7 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
|
||||||
|
|
||||||
const adminOrigins = adminUrlSet.origins;
|
const adminOrigins = adminUrlSet.origins;
|
||||||
const cloudOrigins = cloudUrlSet.origins;
|
const cloudOrigins = cloudUrlSet.origins;
|
||||||
const urlSetOrigins = urlSet.origins;
|
const coreOrigins = urlSet.origins;
|
||||||
const developmentOrigins = conditionalArray(!isProduction && 'ws:');
|
const developmentOrigins = conditionalArray(!isProduction && 'ws:');
|
||||||
const appInsightsOrigins = ['https://*.applicationinsights.azure.com'];
|
const appInsightsOrigins = ['https://*.applicationinsights.azure.com'];
|
||||||
|
|
||||||
|
@ -94,11 +94,11 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
|
||||||
"'self'",
|
"'self'",
|
||||||
...adminOrigins,
|
...adminOrigins,
|
||||||
...cloudOrigins,
|
...cloudOrigins,
|
||||||
...urlSetOrigins,
|
...coreOrigins,
|
||||||
...developmentOrigins,
|
...developmentOrigins,
|
||||||
...appInsightsOrigins,
|
...appInsightsOrigins,
|
||||||
],
|
],
|
||||||
frameSrc: ["'self'", ...urlSetOrigins, ...adminOrigins],
|
frameSrc: ["'self'", ...coreOrigins, ...adminOrigins],
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
import { type IncomingMessage, type ServerResponse } from 'node:http';
|
import { type IncomingMessage, type ServerResponse } from 'node:http';
|
||||||
import { promisify } from 'node:util';
|
import { promisify } from 'node:util';
|
||||||
|
|
||||||
import { defaultTenantId } from '@logto/schemas';
|
|
||||||
import { conditionalArray } from '@silverhand/essentials';
|
import { conditionalArray } from '@silverhand/essentials';
|
||||||
import helmet, { type HelmetOptions } from 'helmet';
|
import helmet, { type HelmetOptions } from 'helmet';
|
||||||
import type { MiddlewareType } from 'koa';
|
import type { MiddlewareType } from 'koa';
|
||||||
|
@ -31,14 +30,12 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
|
||||||
mountedApps: string[],
|
mountedApps: string[],
|
||||||
tenantId: string
|
tenantId: string
|
||||||
): MiddlewareType<StateT, ContextT, ResponseBodyT> {
|
): MiddlewareType<StateT, ContextT, ResponseBodyT> {
|
||||||
const { isProduction, isCloud, isMultiTenancy, adminUrlSet, cloudUrlSet } = EnvSet.values;
|
const { isProduction, isCloud, urlSet, adminUrlSet, cloudUrlSet } = EnvSet.values;
|
||||||
|
|
||||||
const adminOrigins = adminUrlSet.origins;
|
const tenantEndpointOrigin = getTenantEndpoint(tenantId, EnvSet.values).origin;
|
||||||
const cloudOrigins = conditionalArray(isCloud && cloudUrlSet.origins);
|
// Logto Cloud uses cloud service to serve the admin console; while Logto OSS uses a fixed path under the admin URL set.
|
||||||
const tenantEndpointOrigin = getTenantEndpoint(
|
const adminOrigins = isCloud ? cloudUrlSet.origins : adminUrlSet.origins;
|
||||||
isMultiTenancy ? tenantId : defaultTenantId,
|
const coreOrigins = urlSet.origins;
|
||||||
EnvSet.values
|
|
||||||
).origin;
|
|
||||||
const developmentOrigins = conditionalArray(!isProduction && 'ws:');
|
const developmentOrigins = conditionalArray(!isProduction && 'ws:');
|
||||||
const appInsightsOrigins = ['https://*.applicationinsights.azure.com'];
|
const appInsightsOrigins = ['https://*.applicationinsights.azure.com'];
|
||||||
|
|
||||||
|
@ -80,17 +77,11 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
|
||||||
'upgrade-insecure-requests': null,
|
'upgrade-insecure-requests': null,
|
||||||
imgSrc: ["'self'", 'data:', 'https:'],
|
imgSrc: ["'self'", 'data:', 'https:'],
|
||||||
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
|
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
|
||||||
connectSrc: [
|
connectSrc: ["'self'", tenantEndpointOrigin, ...developmentOrigins, ...appInsightsOrigins],
|
||||||
"'self'",
|
|
||||||
...adminOrigins,
|
|
||||||
...cloudOrigins,
|
|
||||||
...developmentOrigins,
|
|
||||||
...appInsightsOrigins,
|
|
||||||
],
|
|
||||||
// WARNING: high risk Need to allow self hosted terms of use page loaded in an iframe
|
// WARNING: high risk Need to allow self hosted terms of use page loaded in an iframe
|
||||||
frameSrc: ["'self'", 'https:'],
|
frameSrc: ["'self'", 'https:'],
|
||||||
// Alow loaded by console preview iframe
|
// Alow loaded by console preview iframe
|
||||||
frameAncestors: ["'self'", ...adminOrigins, ...cloudOrigins],
|
frameAncestors: ["'self'", ...adminOrigins],
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
@ -105,15 +96,9 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
|
||||||
'upgrade-insecure-requests': null,
|
'upgrade-insecure-requests': null,
|
||||||
imgSrc: ["'self'", 'data:', 'https:'],
|
imgSrc: ["'self'", 'data:', 'https:'],
|
||||||
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
|
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
|
||||||
connectSrc: [
|
connectSrc: ["'self'", ...adminOrigins, ...coreOrigins, ...developmentOrigins],
|
||||||
"'self'",
|
|
||||||
tenantEndpointOrigin,
|
|
||||||
...adminOrigins,
|
|
||||||
...cloudOrigins,
|
|
||||||
...developmentOrigins,
|
|
||||||
],
|
|
||||||
// Allow Main Flow origin loaded in preview iframe
|
// Allow Main Flow origin loaded in preview iframe
|
||||||
frameSrc: ["'self'", tenantEndpointOrigin],
|
frameSrc: ["'self'", ...adminOrigins, ...coreOrigins],
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue