implemented CSP (#54)

* implemented CSP * more csp
openpassphrase · Sep 9, 2018 · 496acd0 · 496acd0
1 parent 25635ed
commit 496acd0
Show file tree

Hide file tree

Showing 6 changed files with 70 additions and 4 deletions.
diff --git a/angular.json b/angular.json
@@ -68,6 +68,24 @@
               "vendorChunk": false,
               "buildOptimizer": true,
               "serviceWorker": true
+            },
+            "local-prod": {
+              "fileReplacements": [
+                {
+                  "replace": "src/environments/environment.ts",
+                  "with": "src/environments/environment.local-prod.ts"
+                }
+              ],
+              "optimization": true,
+              "outputHashing": "all",
+              "sourceMap": false,
+              "extractCss": true,
+              "namedChunks": false,
+              "aot": true,
+              "extractLicenses": true,
+              "vendorChunk": false,
+              "buildOptimizer": true,
+              "serviceWorker": true
             }
           }
         },

diff --git a/package.json b/package.json
@@ -12,7 +12,7 @@
     "e2e": "ng e2e",
     "build:prod": "node make_version.js && ng build --prod --base-href /opp --deploy-url opp/",
     "build:demo": "node make_version.js && ng build --configuration demo --base-href /demo --deploy-url demo/",
-    "build:test": "node make_version.js && ng build --prod",
+    "build:test": "node make_version.js && ng build --configuration local-prod",
     "server:dist": "http-server ./dist/web/ -S -C cert/localhost.crt -K cert/localhost.key -P http://localhost:5000",
     "precommit": "yarn lint && yarn build:prod"
   },

diff --git a/src/app/core/core.module.ts b/src/app/core/core.module.ts
@@ -1,6 +1,7 @@
 import { NgModule } from '@angular/core';
 import { BrowserModule } from '@angular/platform-browser';
 import { BrowserAnimationsModule } from '@angular/platform-browser/animations';
+import { CspService } from '@app/core/csp.service';
 import { PwaService } from '@app/core/pwa.service';
 
 @NgModule({
@@ -11,11 +12,12 @@ import { PwaService } from '@app/core/pwa.service';
   declarations: [
   ],
   providers: [
-    PwaService
+    PwaService,
+    CspService
   ]
 })
 export class CoreModule {
-  constructor(pwa: PwaService) {
+  constructor(pwa: PwaService, csp: CspService) {
     pwa.addManifestLink();
 
     // in some cases ServiceWorkerModule.register does not register service worker.
@@ -24,6 +26,8 @@ export class CoreModule {
     pwa.register();
 
     pwa.listenForUpdate();
+
+    csp.register();
   }
 
   static forRoot() {

diff --git a/src/app/core/csp.service.ts b/src/app/core/csp.service.ts
@@ -0,0 +1,37 @@
+import { DOCUMENT } from '@angular/common';
+import { Inject, Injectable } from '@angular/core';
+import { environment } from '../../environments/environment';
+
+/**
+ * Used to enforce CSP policy. For more details about CSP, see
+ * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+ * and https://developers.google.com/web/fundamentals/security/csp/
+ * Evaluate your CSP here: https://csp-evaluator.withgoogle.com/
+ * Remove 'unsafe-inline' in style-src once Angular issue is resolved:
+ * https://github.com/angular/angular/issues/6361
+ */
+@Injectable()
+export class CspService {
+  constructor(
+    @Inject(DOCUMENT) private doc: Document
+  ) { }
+
+  register() {
+    if (environment.name !== 'dev') {
+      const meta: HTMLMetaElement = this.doc.createElement('meta');
+      meta.setAttribute('http-equiv', 'Content-Security-Policy');
+      meta.setAttribute('content', `
+        default-src 'self';
+        font-src 'self' data:;
+        style-src 'self' 'unsafe-inline';
+        script-src 'self';
+        worker-src 'self';
+        object-src 'none';
+        form-action 'none';
+        frame-src 'none';
+        `
+      );
+      this.doc.head.appendChild(meta);
+    }
+  }
+}
diff --git a/src/environments/environment.local-prod.ts b/src/environments/environment.local-prod.ts
@@ -0,0 +1,7 @@
+export const environment = {
+  name: 'local-prod',
+  baseHref: '',
+  isUserNameAutocompleteEnabled: true,
+  showTokenExpirationCustomization: true,
+  mockApi: false
+};
diff --git a/src/environments/environment.ts b/src/environments/environment.ts
@@ -3,7 +3,7 @@
 // The list of file replacements can be found in `angular.json`.
 
 export interface IEnv {
-  name: 'dev' | 'demo' | 'prod';
+  name: 'dev' | 'demo' | 'prod' | 'local-prod';
   baseHref: string;
   isUserNameAutocompleteEnabled: boolean;
   showTokenExpirationCustomization: boolean;