mirror of
https://github.com/logto-io/logto.git
synced 2025-01-06 20:40:08 -05:00
fix: use only necessary domains in CSP (#3864)
This commit is contained in:
parent
497d5b5262
commit
7a3be91e35
2 changed files with 12 additions and 27 deletions
|
@ -34,7 +34,7 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
|
|||
|
||||
const adminOrigins = adminUrlSet.origins;
|
||||
const cloudOrigins = cloudUrlSet.origins;
|
||||
const urlSetOrigins = urlSet.origins;
|
||||
const coreOrigins = urlSet.origins;
|
||||
const developmentOrigins = conditionalArray(!isProduction && 'ws:');
|
||||
const appInsightsOrigins = ['https://*.applicationinsights.azure.com'];
|
||||
|
||||
|
@ -94,11 +94,11 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
|
|||
"'self'",
|
||||
...adminOrigins,
|
||||
...cloudOrigins,
|
||||
...urlSetOrigins,
|
||||
...coreOrigins,
|
||||
...developmentOrigins,
|
||||
...appInsightsOrigins,
|
||||
],
|
||||
frameSrc: ["'self'", ...urlSetOrigins, ...adminOrigins],
|
||||
frameSrc: ["'self'", ...coreOrigins, ...adminOrigins],
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
import { type IncomingMessage, type ServerResponse } from 'node:http';
|
||||
import { promisify } from 'node:util';
|
||||
|
||||
import { defaultTenantId } from '@logto/schemas';
|
||||
import { conditionalArray } from '@silverhand/essentials';
|
||||
import helmet, { type HelmetOptions } from 'helmet';
|
||||
import type { MiddlewareType } from 'koa';
|
||||
|
@ -31,14 +30,12 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
|
|||
mountedApps: string[],
|
||||
tenantId: string
|
||||
): MiddlewareType<StateT, ContextT, ResponseBodyT> {
|
||||
const { isProduction, isCloud, isMultiTenancy, adminUrlSet, cloudUrlSet } = EnvSet.values;
|
||||
const { isProduction, isCloud, urlSet, adminUrlSet, cloudUrlSet } = EnvSet.values;
|
||||
|
||||
const adminOrigins = adminUrlSet.origins;
|
||||
const cloudOrigins = conditionalArray(isCloud && cloudUrlSet.origins);
|
||||
const tenantEndpointOrigin = getTenantEndpoint(
|
||||
isMultiTenancy ? tenantId : defaultTenantId,
|
||||
EnvSet.values
|
||||
).origin;
|
||||
const tenantEndpointOrigin = getTenantEndpoint(tenantId, EnvSet.values).origin;
|
||||
// Logto Cloud uses cloud service to serve the admin console; while Logto OSS uses a fixed path under the admin URL set.
|
||||
const adminOrigins = isCloud ? cloudUrlSet.origins : adminUrlSet.origins;
|
||||
const coreOrigins = urlSet.origins;
|
||||
const developmentOrigins = conditionalArray(!isProduction && 'ws:');
|
||||
const appInsightsOrigins = ['https://*.applicationinsights.azure.com'];
|
||||
|
||||
|
@ -80,17 +77,11 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
|
|||
'upgrade-insecure-requests': null,
|
||||
imgSrc: ["'self'", 'data:', 'https:'],
|
||||
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
|
||||
connectSrc: [
|
||||
"'self'",
|
||||
...adminOrigins,
|
||||
...cloudOrigins,
|
||||
...developmentOrigins,
|
||||
...appInsightsOrigins,
|
||||
],
|
||||
connectSrc: ["'self'", tenantEndpointOrigin, ...developmentOrigins, ...appInsightsOrigins],
|
||||
// WARNING: high risk Need to allow self hosted terms of use page loaded in an iframe
|
||||
frameSrc: ["'self'", 'https:'],
|
||||
// Alow loaded by console preview iframe
|
||||
frameAncestors: ["'self'", ...adminOrigins, ...cloudOrigins],
|
||||
frameAncestors: ["'self'", ...adminOrigins],
|
||||
},
|
||||
},
|
||||
};
|
||||
|
@ -105,15 +96,9 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
|
|||
'upgrade-insecure-requests': null,
|
||||
imgSrc: ["'self'", 'data:', 'https:'],
|
||||
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
|
||||
connectSrc: [
|
||||
"'self'",
|
||||
tenantEndpointOrigin,
|
||||
...adminOrigins,
|
||||
...cloudOrigins,
|
||||
...developmentOrigins,
|
||||
],
|
||||
connectSrc: ["'self'", ...adminOrigins, ...coreOrigins, ...developmentOrigins],
|
||||
// Allow Main Flow origin loaded in preview iframe
|
||||
frameSrc: ["'self'", tenantEndpointOrigin],
|
||||
frameSrc: ["'self'", ...adminOrigins, ...coreOrigins],
|
||||
},
|
||||
},
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue