Add CSP support

Author: razor-x

README.md

@@ -91,7 +91,7 @@ with custom values to setup a completely independent project:
 
    aws ssm put-parameter --type "String" \
      --name "/app/aws-lambda-edge/experimental/appConfig" \
-     --value '{"title":"Lambda@Edge Immutable Web App (Experimental)"}'
+     --value '{"title":"Lambda@Edge Immutable Web App (Experimental)","reportUri":"https://httpbin.org/post"}'
    ```
 5. Build and deploy the initial version with
    ```
@@ -118,7 +118,7 @@ with custom values to setup a completely independent project:
 
    aws ssm put-parameter --type "String" \
      --name "/app/aws-lambda-edge/live/appConfig" \
-     --value '{"title":"Lambda@Edge Immutable Web App"}'
+     --value '{"title":"Lambda@Edge Immutable Web App","reportUri":"https://httpbin.org/post"}'
 
    npm run build
    npm run deploy:assets

lib/content.js

@@ -14,8 +14,8 @@ const getIndexContent = (options, callback) => {
   getIndexTemplate(options, (err, template) => {
     try {
       if (err) return callback(err)
-      const content = createContent(template, options)
-      callback(null, content)
+      const data = createContent(template, options)
+      callback(null, data)
     } catch (error) {
       callback(error)
     }
@@ -65,11 +65,16 @@ const createContent = (template, {
   version
 }) => {
   const encodedConfig = encodeURIComponent(config)
-  return render(template, {
+  const configScript = `window.config = JSON.parse(decodeURIComponent('${encodedConfig}'))`
+  const content = render(template, {
     root,
     version,
-    config: encodedConfig
+    configScript
   })
+  return {
+    content,
+    scripts: [configScript]
+  }
 }
 
 module.exports = getIndexContent

lib/csp.js

@@ -0,0 +1,26 @@
+const { createHash } = require('crypto')
+
+const createCspHeader = (options, {
+  scripts = []
+}) => {
+  const { origin, config } = options
+  const { reportUri, api } = JSON.parse(config)
+  const scriptHashes = scripts.map(cspHash)
+  const directives = [
+    ['default-src', origin],
+    ['script-src', "'self'", origin, ...scriptHashes],
+    ['img-src', "'self'", origin],
+    ['connect-src', api],
+    ['report-uri', reportUri]
+  ]
+  return directives.map(d => d.join(' ')).join('; ')
+}
+
+const cspHash = script => {
+  const hash = createHash('sha256')
+  hash.update(script)
+  const digest = hash.digest('base64')
+  return `'sha256-${digest}'`
+}
+
+module.exports = createCspHeader

lib/options.js

@@ -1,3 +1,5 @@
+'use strict'
+
 const appVersionCookieName = 'appVersion'
 
 const getOptions = (req, options) => {

lib/response.js

@@ -3,6 +3,7 @@
 const { gzip } = require('zlib')
 
 const getIndexContent = require('./content')
+const createCspHeader = require('./csp')
 const getOptions = require('./options')
 
 const getResponse = (req, options, callback) => {
@@ -21,12 +22,13 @@ const getResponse = (req, options, callback) => {
 }
 
 const getIndexResponse = (options, callback) => {
-  getIndexContent(options, (err, content) => {
+  getIndexContent(options, (err, { content, scripts }) => {
     if (err) return callback(err)
     getBody(content, (err, body) => {
       try {
         if (err) return callback(err)
-        const response = createIndexResponse(body)
+        const csp = createCspHeader(options, { scripts })
+        const response = createIndexResponse(body, csp)
         callback(null, response)
       } catch (error) {
         callback(error)
@@ -47,8 +49,12 @@ const getBody = (content, callback) => {
   })
 }
 
-const createIndexResponse = body => ({
+const createIndexResponse = (body, csp) => ({
   headers: {
+    'content-security-policy': [{
+      key: 'Content-Security-Policy',
+      value: csp
+    }],
     'cache-control': [{
       key: 'Cache-Control',
       value: 'no-cache, no-store, must-revalidate'

public/index.html.mustache

@@ -10,7 +10,7 @@
   </head>
   <body>
     <div id="root"></div>
-    <script>window.config = JSON.parse(decodeURIComponent('{{ config }}'))</script>
+    <script>{{{ configScript }}}</script>
     <script src="{{ root }}/index.js"></script>
   </body>
 </html>

server.js

@@ -12,8 +12,11 @@ const assetPort = 8081
 const host = 'localhost'
 
 const config = {
-  title: 'Lambda@Edge Immutable Web App'
+  title: 'Lambda@Edge Immutable Web App',
+  reportUri: 'https://httpbin.org/post',
+  api: 'https://httpbin.org'
 }
+
 const options = {
   config: JSON.stringify(config),
   origin: `http://${host}:${assetPort}`,