Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat/retrieve csp #70

Merged
merged 3 commits into from
Nov 16, 2020
Merged

Feat/retrieve csp #70

merged 3 commits into from
Nov 16, 2020

Conversation

gweiying
Copy link
Contributor

@gweiying gweiying commented Nov 11, 2020
edited
Loading

This PR creates a route to retrieve the netlify.toml file from the site's repo via the Github API and parse it to return its header values. This route is useful on the frontend because we are using the CSP rules specified in the header values to sanitise the page preview when users edit pages (link).

An example of the headers retrieved in the netlify.toml file:

[[headers]]
  for = "/*"
  [headers.values]
    X-XSS-Protection = "1; mode=block"
    Referrer-Policy = "no-referrer"
    X-Content-Type-Options = "nosniff"
    X-Frame-Options = "deny"
    Content-Security-Policy = "default-src 'self'; script-src 'self' blob: ..."

An example of the response sent to the frontend:

{  
    "X-XSS-Protection": "1; mode=block",
    "Referrer-Policy": "no-referrer",
    "X-Content-Type-Options": "nosniff",
    "X-Frame-Options": "deny",
    "Content-Security-Policy": "default-src 'self'; script-src 'self' blob: ..."
}

A new NetlifyToml class was created because Isomer has a future goal to make the netlify.toml file a centralized setting across all sites, so we wouldn't need the other methods of the File class : create, update, delete. By creating a separate file, this allows us to maintain/ remove this functionality easily in the future.

Note that we use the simplifying assumption that only one set of header values are specified and applied to all paths under each site. This is currently true for all Isomer repos, where [[headers]] is an array of length one, and for = "/*" which indicates that all paths on the site are affected by the corresponding set of [header.values].

@kwajiehao kwajiehao self-requested a review November 12, 2020 11:54
kwajiehao
kwajiehao approved these changes Nov 16, 2020
View reviewed changes
Copy link
Contributor

@kwajiehao kwajiehao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@gweiying gweiying merged commit ecc749b into staging Nov 16, 2020
@gweiying gweiying deleted the feat/retrieve-csp branch November 16, 2020 11:05
@gweiying gweiying mentioned this pull request Nov 16, 2020
Merged
harishv7 pushed a commit that referenced this pull request Feb 17, 2023
@gweiying
Feat/retrieve csp (#70)
4a91244 
* feat: add NetlifyToml class for retrieving netlify.toml file through Github API

* feat: add netlifyToml route file for retrieving, decoding, and sending netlify.toml

* feat: adds netlifyTomlRouter and auth
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kwajiehao kwajiehao kwajiehao approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gweiying @kwajiehao