Merge pull request #39 from saferwall/2022-fixing

trying to fix csp , allow to inject avatars source to csp in nginx co…
saferwall · Feb 7, 2022 · 002a49d · 002a49d
2 parents 1492f3c + e3c5662
commit 002a49d
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 9 deletions.
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -15,19 +15,34 @@ do
   envsubst '$VUE_APP_AVATAR_BASE_URL' < $file > $file
 done
 
+# -------------
+# CSP Rule
+# -------------
+NGINX_CONF_FILE="/etc/nginx/conf.d/default.conf"
+INDEX_HTML_FILE="/usr/share/nginx/html/index.html";
+
+# Add avatars url to csp
+if [ -z "${VUE_APP_AVATAR_BASE_URL}" ]; then
+  echo "[Warn] VUE_APP_AVATAR_BASE_URL env value is not defined, it can cause problem on profile avatar image loading !"
+else
+  sed -i "s/img-src/img-src '$VUE_APP_AVATAR_BASE_URL'/g" $NGINX_CONF_FILE
+fi
+
 # Replace env in index.html
-file="/usr/share/nginx/html/index.html";
+echo "[Info] Processing $INDEX_HTML_FILE ...";
+cp $INDEX_HTML_FILE $INDEX_HTML_FILE.tmp
 
-echo "[Info] Processing $file ...";
-cp $file $file.tmp
+HEAD_TAG="<\/head>"
 
-head_tag="<\/head>"
+# Add google analytics tag to head & csp
 if [ -z "${VUE_APP_ANALYTICS_GOOGLE_TAG}" ]; then
   echo "[Info] VUE_APP_ANALYTICS_GOOGLE_TAG env value is not defined";
 else 
-  # Inject google analytics
-  g_tag='<script>window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;ga("create", "'$VUE_APP_ANALYTICS_GOOGLE_TAG'", "auto");ga("send", "pageview");<\/script><script async src="https:\/\/www.google-analytics.com\/analytics.js"><\/script>\n'$head_tag
-  sed -i "s/$head_tag/$g_tag/g" $file
+  GA_TAG='<script>window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;ga("create", "'$VUE_APP_ANALYTICS_GOOGLE_TAG'", "auto");ga("send", "pageview");<\/script><script async src="https:\/\/www.google-analytics.com\/analytics.js"><\/script>'
+
+  sed -i "s/$HEAD_TAG/$GA_TAG\n$HEAD_TAG/g" $INDEX_HTML_FILE
+
+  sed -i "s/script-src/script-src 'https://www.google-analytics.com'/g" $NGINX_CONF_FILE
 fi
 
 echo "[Info] Starting Nginx ..."

diff --git a/nginx.conf b/nginx.conf
@@ -17,7 +17,7 @@ server {
   add_header X-Frame-Options "DENY";
   add_header X-Content-Type-Options nosniff;
   add_header X-XSS-Protection "1; mode=block";
-  add_header Content-Security-Policy "default-src 'self'; font-src *; script-src 'unsafe-eval' 'self';style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src *; object-src 'none'; base-uri 'self'; form-action 'self'; img-src * data:;";
+  add_header Content-Security-Policy "script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' fonts.googleapis.com 'self'; s object-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data:;";
 
   location / {
     try_files $uri $uri/ @rewrites;

diff --git a/src/services/setupInterceptors.js b/src/services/setupInterceptors.js
@@ -6,7 +6,7 @@ const setup = ({ router }) => {
             return res;
         },
         async (err) => {
-            if (err.response.status === 401) {
+            if (err.response && err.response.status === 401) {
                 return router.push({ path: '/auth/login' });
             }