Skip to content

Add a default content security policy to the skeleton template #1235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
blittle merged 16 commits into from
Aug 30, 2023
Merged

Add a default content security policy to the skeleton template #1235

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
2944959
Add a default content security policy to the skeleton template
blittle Aug 16, 2023
77859e4
Update
blittle Aug 17, 2023
5e98271
Fix CSP errors and introduce HydrogenServerProvider
blittle Aug 18, 2023
7150190
Add nonce to error boundary
blittle Aug 18, 2023
35c0cf6
Fix csp to work without a nonce
blittle Aug 21, 2023
16476cc
Add CSP tests
blittle Aug 22, 2023
06d2367
Add docs and rework
blittle Aug 23, 2023
b0d7340
More docs fixes
blittle Aug 23, 2023
83ed363
Updates
blittle Aug 23, 2023
f061104
Add comment
blittle Aug 23, 2023
eb24b27
Update all templates and examples
blittle Aug 23, 2023
015f42e
Delete weak-drinks-refuse.md
blittle Aug 23, 2023
27ffc91
Update .changeset/two-carrots-relax.md
blittle Aug 23, 2023
d8c2bd4
Add monorail to the default CSP
blittle Aug 29, 2023
b8397ab
Fix tests
blittle Aug 29, 2023
b807004
Add a link to the guide in the release notes
blittle Aug 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .changeset/two-carrots-relax.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
'@shopify/cli-hydrogen': patch
'@shopify/create-hydrogen': patch
'@shopify/hydrogen': patch
---

Add functionality for creating a Content Security Policy. See the [guide on Content Security Policies](https://shopify.dev/docs/custom-storefronts/hydrogen/content-security-policy) for more details.
9 changes: 8 additions & 1 deletion examples/customer-api/app/entry.server.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,22 @@ import type {EntryContext} from '@shopify/remix-oxygen';
import {RemixServer} from '@remix-run/react';
import isbot from 'isbot';
import {renderToReadableStream} from 'react-dom/server';
import {createContentSecurityPolicy} from '@shopify/hydrogen';

export default async function handleRequest(
request: Request,
responseStatusCode: number,
responseHeaders: Headers,
remixContext: EntryContext,
) {
const {nonce, header, NonceProvider} = createContentSecurityPolicy();

const body = await renderToReadableStream(
<RemixServer context={remixContext} url={request.url} />,
<NonceProvider>
<RemixServer context={remixContext} url={request.url} />
</NonceProvider>,
{
nonce,
signal: request.signal,
onError(error) {
// eslint-disable-next-line no-console
Expand All @@ -26,6 +32,7 @@ export default async function handleRequest(
}

responseHeaders.set('Content-Type', 'text/html');
responseHeaders.set('Content-Security-Policy', header);
return new Response(body, {
headers: responseHeaders,
status: responseStatusCode,
Expand Down
8 changes: 5 additions & 3 deletions examples/customer-api/app/root.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import {
import type {Shop} from '@shopify/hydrogen/storefront-api-types';
import styles from './styles/app.css';
import favicon from '../public/favicon.svg';
import {useNonce} from '@shopify/hydrogen';

export const links: LinksFunction = () => {
return [
Expand All @@ -34,6 +35,7 @@ export async function loader({context}: LoaderArgs) {

export default function App() {
const data = useLoaderData<typeof loader>();
const nonce = useNonce();

const {name} = data.layout.shop;

Expand All @@ -51,9 +53,9 @@ export default function App() {
This is an example of Hydrogen using the Customer API
</p>
<Outlet />
<ScrollRestoration />
<Scripts />
<LiveReload />
<ScrollRestoration nonce={nonce} />
<Scripts nonce={nonce} />
<LiveReload nonce={nonce} />
</body>
</html>
);
Expand Down
33 changes: 23 additions & 10 deletions examples/express/app/entry.server.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import {Response} from '@remix-run/node';
import {RemixServer} from '@remix-run/react';
import isbot from 'isbot';
import {renderToPipeableStream} from 'react-dom/server';
import {createContentSecurityPolicy} from '@shopify/hydrogen';

const ABORT_DELAY = 5_000;

Expand Down Expand Up @@ -43,17 +44,23 @@ function handleBotRequest(
remixContext: EntryContext,
) {
return new Promise((resolve, reject) => {
const {nonce, header, NonceProvider} = createContentSecurityPolicy();

const {pipe, abort} = renderToPipeableStream(
<RemixServer
context={remixContext}
url={request.url}
abortDelay={ABORT_DELAY}
/>,
<NonceProvider>
<RemixServer
context={remixContext}
url={request.url}
abortDelay={ABORT_DELAY}
/>
</NonceProvider>,
{
nonce,
onAllReady() {
const body = new PassThrough();

responseHeaders.set('Content-Type', 'text/html');
responseHeaders.set('Content-Security-Policy', header);

resolve(
new Response(body, {
Expand Down Expand Up @@ -84,18 +91,24 @@ function handleBrowserRequest(
responseHeaders: Headers,
remixContext: EntryContext,
) {
const {nonce, header, NonceProvider} = createContentSecurityPolicy();

return new Promise((resolve, reject) => {
const {pipe, abort} = renderToPipeableStream(
<RemixServer
context={remixContext}
url={request.url}
abortDelay={ABORT_DELAY}
/>,
<NonceProvider>
<RemixServer
context={remixContext}
url={request.url}
abortDelay={ABORT_DELAY}
/>
</NonceProvider>,
{
nonce,
onShellReady() {
const body = new PassThrough();

responseHeaders.set('Content-Type', 'text/html');
responseHeaders.set('Content-Security-Policy', header);

resolve(
new Response(body, {
Expand Down
8 changes: 5 additions & 3 deletions examples/express/app/root.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import type {Cart, Shop} from '@shopify/hydrogen/storefront-api-types';
import {Layout} from '~/components/Layout';
import styles from './styles/app.css';
import favicon from '../public/favicon.svg';
import {useNonce} from '@shopify/hydrogen';

export const links: LinksFunction = () => {
return [
Expand Down Expand Up @@ -64,6 +65,7 @@ export async function loader({context}: LoaderArgs) {

export default function App() {
const data = useLoaderData<typeof loader>();
const nonce = useNonce();

const {name, description} = data.layout.shop;

Expand All @@ -79,9 +81,9 @@ export default function App() {
<Layout description={description} title={name}>
<Outlet />
</Layout>
<ScrollRestoration />
<Scripts />
<LiveReload />
<ScrollRestoration nonce={nonce} />
<Scripts nonce={nonce} />
<LiveReload nonce={nonce} />
</body>
</html>
);
Expand Down
15 changes: 15 additions & 0 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading