Merge pull request #137 from mgreminger/csp

Add content security policy
mgreminger · Jan 27, 2023 · be4212f · be4212f
2 parents a6f8c65 + 6e8b4a9
commit be4212f
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 13 deletions.
diff --git a/.dev.vars b/.dev.vars
@@ -0,0 +1 @@
+DEV=1
diff --git a/src/database/_worker.ts b/src/database/_worker.ts
@@ -1,10 +1,14 @@
 import { getHash, API_GET_PATH, API_SAVE_PATH } from "./utility";
 
-const spaUrl = "https://engineeringpaper.xyz";
 const maxSize = 2000000; // max length of byte string that represents sheet
 
+const cspHeaderValue = "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src * data: blob:;";
+// local dev mode requires some extra exceptions for live reload
+const devCspHeaderValue = cspHeaderValue + " script-src 'self' http://localhost:35729; connect-src 'self' ws://localhost:35729;";
+
 export const API_MANUAL_SAVE_PATH = "/documents/manual-save";
 
+
 type Flag = "0" | "1" | 0 | 1 | undefined;
 
 interface Env {
@@ -14,6 +18,7 @@ interface Env {
   ENABLE_MANUAL_SAVE: Flag;
   MANUAL_SAVE_KEY: string | undefined;
   ENABLE_D1: Flag;
+  DEV: Flag;
 }
 
 interface SheetPostBody {
@@ -51,6 +56,7 @@ export default {
     if (path.startsWith(API_SAVE_PATH) && request.method === "POST") {
       // Store sheet
       return await postSheet({
+        origin: url.origin,
         requestHash: path.replace(API_SAVE_PATH, ''),
         requestBody: await request.json(),
         requestIp: request.headers.get("CF-Connecting-IP") || "",
@@ -76,14 +82,29 @@ export default {
         kv: env.SHEETS, d1: env.TABLES,
         useD1: checkFlag(env.ENABLE_D1)
       });
-    } else if (!path.includes('.')
-               && !path.slice(1).includes('/')
-               && path.length === 23
-               && request.method === "GET" ) {
-      const mainPage = await fetch(`${url.origin}/index.html`)
-      return new HTMLRewriter()
-        .on('meta[name="googlebot"]', new IndexIfEmbedded())
-        .transform(mainPage);
+    } else if (( path === "/" && request.method === "GET") ||
+               (!path.includes('.')
+                && !path.slice(1).includes('/')
+                && path.length === 23
+                && request.method === "GET") ) {
+      let mainPage = await env.ASSETS.fetch(request);
+
+      const updatedHeaders = new Headers(mainPage.headers);
+      updatedHeaders.set('Content-Security-Policy', checkFlag(env.DEV) ? devCspHeaderValue : cspHeaderValue);
+
+      mainPage = new Response(mainPage.body, {
+        status: mainPage.status,
+        statusText: mainPage.statusText,
+        headers: updatedHeaders
+      });
+
+      if (path === "/") {
+        return mainPage;
+      } else {
+        return new HTMLRewriter()
+          .on('meta[name="googlebot"]', new IndexIfEmbedded())
+          .transform(mainPage);
+      }
     } else {
       return await env.ASSETS.fetch(request);
     }
@@ -139,8 +160,9 @@ function getNewId(): string {
   return crypto.randomUUID().replaceAll('-', '').slice(0, 22);
 }
 
-async function postSheet({ requestHash, requestBody, requestIp, kv, d1, useD1 }:
+async function postSheet({ origin, requestHash, requestBody, requestIp, kv, d1, useD1 }:
   {
+    origin: string,
     requestHash: string,
     requestBody: SheetPostBody,
     requestIp: string,
@@ -183,7 +205,7 @@ async function postSheet({ requestHash, requestBody, requestIp, kv, d1, useD1 }:
   if (createNewDocument) {
     // update document history to include latest version
     dbEntry.history.unshift({
-      url: `${spaUrl}/#${id}`,
+      url: `${origin}/${id}`,
       hash: id,
       creation: dbEntry.creation
     });
@@ -202,7 +224,7 @@ async function postSheet({ requestHash, requestBody, requestIp, kv, d1, useD1 }:
   }
 
   return new Response(JSON.stringify({
-    url: `${spaUrl}/#${id}`,
+    url: `${origin}/${id}`,
     hash: id,
     history: dbEntry.history
   }));

diff --git a/tsconfig.json b/tsconfig.json
@@ -7,7 +7,7 @@
       "dom"
     ]
   },
-  "extends": "@tsconfig/svelte/tsconfig.json",
+  "extends": "./node_modules/@tsconfig/svelte/tsconfig.json",
   "include": ["src/**/*"],
   "exclude": ["node_modules/*", "src/database/_worker.ts"]
 }