From 2927aa161fb0bdc703fbb44002b9173767617e40 Mon Sep 17 00:00:00 2001 From: "Luiz R. Rodrigues" Date: Tue, 19 Apr 2022 12:28:00 -0300 Subject: [PATCH 01/10] Added globally Referrer-Policy and Permissions-Policy headers --- src/server/index.js | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/server/index.js b/src/server/index.js index 31f949ca61..18a72ab1aa 100644 --- a/src/server/index.js +++ b/src/server/index.js @@ -131,6 +131,12 @@ async function onExpressJsSetup(server) { return next(); }; + server.use(function(req, res, next) { + res.header('Referrer-Policy', 'strict-origin-when-cross-origin'); + res.header('Permissions-Policy', 'geolocation=(), microphone=(), camera=()'); + next(); + }); + /* Log Entries service proxy. */ server.use('/community-app-assets/api/logger', checkAuthorizationHeader, (req, res) => { logger.log(`${req.clientIp} > `, ...req.body.data); From 9b6401553be6fbeccd812bd7cfc4debfa086a783 Mon Sep 17 00:00:00 2001 From: "Luiz R. Rodrigues" Date: Tue, 19 Apr 2022 12:28:21 -0300 Subject: [PATCH 02/10] Added Content-Security-Policy to Veterans community --- src/server/index.js | 51 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/src/server/index.js b/src/server/index.js index 18a72ab1aa..9513151b01 100644 --- a/src/server/index.js +++ b/src/server/index.js @@ -134,6 +134,57 @@ async function onExpressJsSetup(server) { server.use(function(req, res, next) { res.header('Referrer-Policy', 'strict-origin-when-cross-origin'); res.header('Permissions-Policy', 'geolocation=(), microphone=(), camera=()'); + + if (req.url.startsWith('/__community__/veterans') || req.hostname === 'veterans.topcoder.com') { + res.header( + 'Content-Security-Policy', + `default-src 'self';` + + ` script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval'` + + ` http://www.google-analytics.com` + + ` https://43d132d5dbff47c59d9d53ad448f93c2.js.ubembed.com` + + ` https://assets.ubembed.com` + + ` https://assets.zendesk.com` + + ` https://browser.sentry-cdn.com` + + ` https://cdn.segment.com` + + ` https://fast.trychameleon.com` + + ` https://static.zdassets.com;` + + ` style-src 'report-sample' 'self' 'unsafe-inline'` + + ` ${config.CDN.PUBLIC};` + + ` object-src 'none';` + + ` base-uri 'self';` + + ` connect-src 'self'` + + ` ${config.URL.COMMUNITY_APP}` + + ` ${config.CDN.PUBLIC}` + + ` ${config.API.V2}/` + + ` ${config.API.V3}/` + + ` ${config.API.V4}/` + + ` ${config.API.V5}/` + + ` https://api.segment.io` + + ` https://cdn.segment.com` + + ` https://ekr.zdassets.com` + + ` https://topcoder.zendesk.com` + + ` https://stats.g.doubleclick.net` + + ` https://www.google-analytics.com;` + + ` font-src 'self'` + + ` data:` + + ` ${config.CDN.PUBLIC}` + + ` https://43d132d5dbff47c59d9d53ad448f93c2.js.ubembed.com;` + + ` frame-src 'self'` + + ` ${config.URL.AUTH};` + + ` img-src 'self'` + + ` https://www.facebook.com` + + ` https://images.ctfassets.net` + + ` https://d2nl5eqipnb33q.cloudfront.net` + + ` https://cdn.segment.com` + + ` https://www.google.com` + + ` https://topcoder-prod-media.s3.amazonaws.com;` + + ` manifest-src 'self';` + + ` media-src 'self';` + + ` report-uri https://623d4c23f90d055298b24042.endpoint.csper.io/?v=0;` + + ` worker-src 'self';` + ); + } + next(); }); From 7b3dc445ebac8587d0541f6a543a030a20ca4d5b Mon Sep 17 00:00:00 2001 From: "Luiz R. Rodrigues" Date: Tue, 19 Apr 2022 12:34:18 -0300 Subject: [PATCH 03/10] Deployed csp-headers to Beta and Test --- .circleci/config.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index dea585d4eb..c2d4c72a9f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -343,14 +343,13 @@ workflows: branches: only: - develop - - fix/infected-submission # This is alternate dev env for parallel testing - "build-test": context : org-global filters: branches: only: - - ca-profile-bug-bash + - csp-headers # This is alternate dev env for parallel testing - "build-qa": context : org-global @@ -364,7 +363,7 @@ workflows: filters: branches: only: - - new-tc-logo + - csp-headers # This is stage env for production QA releases - "build-prod-staging": context : org-global @@ -372,8 +371,6 @@ workflows: branches: only: - develop - - features/mm-dashboard - - fix/settings-save-fail # Production builds are exectuted # when PR is merged to the master # Don't change anything in this configuration From 3260c716f93b32d6692fee911337d79d2f105814 Mon Sep 17 00:00:00 2001 From: "Luiz R. Rodrigues" Date: Tue, 19 Apr 2022 13:08:25 -0300 Subject: [PATCH 04/10] Fix lint --- src/server/index.js | 72 ++++++++++++++++++++++----------------------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/src/server/index.js b/src/server/index.js index 9513151b01..3e8a800f0d 100644 --- a/src/server/index.js +++ b/src/server/index.js @@ -131,57 +131,57 @@ async function onExpressJsSetup(server) { return next(); }; - server.use(function(req, res, next) { + server.use((req, res, next) => { res.header('Referrer-Policy', 'strict-origin-when-cross-origin'); res.header('Permissions-Policy', 'geolocation=(), microphone=(), camera=()'); if (req.url.startsWith('/__community__/veterans') || req.hostname === 'veterans.topcoder.com') { res.header( 'Content-Security-Policy', - `default-src 'self';` - + ` script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval'` - + ` http://www.google-analytics.com` - + ` https://43d132d5dbff47c59d9d53ad448f93c2.js.ubembed.com` - + ` https://assets.ubembed.com` - + ` https://assets.zendesk.com` - + ` https://browser.sentry-cdn.com` - + ` https://cdn.segment.com` - + ` https://fast.trychameleon.com` - + ` https://static.zdassets.com;` - + ` style-src 'report-sample' 'self' 'unsafe-inline'` + "default-src 'self';" + + " script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval'" + + ' http://www.google-analytics.com' + + ' https://43d132d5dbff47c59d9d53ad448f93c2.js.ubembed.com' + + ' https://assets.ubembed.com' + + ' https://assets.zendesk.com' + + ' https://browser.sentry-cdn.com' + + ' https://cdn.segment.com' + + ' https://fast.trychameleon.com' + + ' https://static.zdassets.com;' + + " style-src 'report-sample' 'self' 'unsafe-inline'" + ` ${config.CDN.PUBLIC};` - + ` object-src 'none';` - + ` base-uri 'self';` - + ` connect-src 'self'` + + " object-src 'none';" + + " base-uri 'self';" + + " connect-src 'self'" + ` ${config.URL.COMMUNITY_APP}` + ` ${config.CDN.PUBLIC}` + ` ${config.API.V2}/` + ` ${config.API.V3}/` + ` ${config.API.V4}/` + ` ${config.API.V5}/` - + ` https://api.segment.io` - + ` https://cdn.segment.com` - + ` https://ekr.zdassets.com` - + ` https://topcoder.zendesk.com` - + ` https://stats.g.doubleclick.net` - + ` https://www.google-analytics.com;` - + ` font-src 'self'` - + ` data:` + + ' https://api.segment.io' + + ' https://cdn.segment.com' + + ' https://ekr.zdassets.com' + + ' https://topcoder.zendesk.com' + + ' https://stats.g.doubleclick.net' + + ' https://www.google-analytics.com;' + + " font-src 'self'" + + ' data:' + ` ${config.CDN.PUBLIC}` - + ` https://43d132d5dbff47c59d9d53ad448f93c2.js.ubembed.com;` - + ` frame-src 'self'` + + ' https://43d132d5dbff47c59d9d53ad448f93c2.js.ubembed.com;' + + " frame-src 'self'" + ` ${config.URL.AUTH};` - + ` img-src 'self'` - + ` https://www.facebook.com` - + ` https://images.ctfassets.net` - + ` https://d2nl5eqipnb33q.cloudfront.net` - + ` https://cdn.segment.com` - + ` https://www.google.com` - + ` https://topcoder-prod-media.s3.amazonaws.com;` - + ` manifest-src 'self';` - + ` media-src 'self';` - + ` report-uri https://623d4c23f90d055298b24042.endpoint.csper.io/?v=0;` - + ` worker-src 'self';` + + " img-src 'self'" + + ' https://www.facebook.com' + + ' https://images.ctfassets.net' + + ' https://d2nl5eqipnb33q.cloudfront.net' + + ' https://cdn.segment.com' + + ' https://www.google.com' + + ' https://topcoder-prod-media.s3.amazonaws.com;' + + " manifest-src 'self';" + + " media-src 'self';" + + ' report-uri https://623d4c23f90d055298b24042.endpoint.csper.io/?v=0;' + + " worker-src 'self';", ); } From 555b9460eb250d46a6069bdd27088d199b4d9cf2 Mon Sep 17 00:00:00 2001 From: "Luiz R. Rodrigues" Date: Tue, 19 Apr 2022 13:59:23 -0300 Subject: [PATCH 05/10] Added Cloudfront Public CDN --- src/server/index.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/server/index.js b/src/server/index.js index 3e8a800f0d..4947818aac 100644 --- a/src/server/index.js +++ b/src/server/index.js @@ -140,6 +140,7 @@ async function onExpressJsSetup(server) { 'Content-Security-Policy', "default-src 'self';" + " script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval'" + + ` ${config.CDN.PUBLIC}` + ' http://www.google-analytics.com' + ' https://43d132d5dbff47c59d9d53ad448f93c2.js.ubembed.com' + ' https://assets.ubembed.com' @@ -153,12 +154,12 @@ async function onExpressJsSetup(server) { + " object-src 'none';" + " base-uri 'self';" + " connect-src 'self'" - + ` ${config.URL.COMMUNITY_APP}` - + ` ${config.CDN.PUBLIC}` + ` ${config.API.V2}/` + ` ${config.API.V3}/` + ` ${config.API.V4}/` + ` ${config.API.V5}/` + + ` ${config.CDN.PUBLIC}` + + ` ${config.URL.COMMUNITY_APP}` + ' https://api.segment.io' + ' https://cdn.segment.com' + ' https://ekr.zdassets.com' @@ -172,9 +173,9 @@ async function onExpressJsSetup(server) { + " frame-src 'self'" + ` ${config.URL.AUTH};` + " img-src 'self'" + + ` ${config.CDN.PUBLIC}` + ' https://www.facebook.com' + ' https://images.ctfassets.net' - + ' https://d2nl5eqipnb33q.cloudfront.net' + ' https://cdn.segment.com' + ' https://www.google.com' + ' https://topcoder-prod-media.s3.amazonaws.com;' From 6a8a4ef3c96fd5ab54446ed8ceb124432d031553 Mon Sep 17 00:00:00 2001 From: "Luiz R. Rodrigues" Date: Tue, 19 Apr 2022 14:46:26 -0300 Subject: [PATCH 06/10] Fix avatar CDN --- src/server/index.js | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/src/server/index.js b/src/server/index.js index 4947818aac..12452fe3f0 100644 --- a/src/server/index.js +++ b/src/server/index.js @@ -146,11 +146,18 @@ async function onExpressJsSetup(server) { + ' https://assets.ubembed.com' + ' https://assets.zendesk.com' + ' https://browser.sentry-cdn.com' + + ' https://cdn.heapanalytics.com' + ' https://cdn.segment.com' + + ' https://d1of0acg2orgco.cloudfront.net' + + ' https://d24oibycet9bsb.cloudfront.net' + ' https://fast.trychameleon.com' - + ' https://static.zdassets.com;' + + ' https://static.zdassets.com' + + ' https://www.googletagmanager.com;' + " style-src 'report-sample' 'self' 'unsafe-inline'" - + ` ${config.CDN.PUBLIC};` + + ` ${config.CDN.PUBLIC}` + + ' https://d1of0acg2orgco.cloudfront.net' + + ' https://d24oibycet9bsb.cloudfront.net' + + ' https://d2nl5eqipnb33q.cloudfront.net;' + " object-src 'none';" + " base-uri 'self';" + " connect-src 'self'" @@ -174,11 +181,12 @@ async function onExpressJsSetup(server) { + ` ${config.URL.AUTH};` + " img-src 'self'" + ` ${config.CDN.PUBLIC}` - + ' https://www.facebook.com' - + ' https://images.ctfassets.net' + ' https://cdn.segment.com' - + ' https://www.google.com' - + ' https://topcoder-prod-media.s3.amazonaws.com;' + + ' https://d2nl5eqipnb33q.cloudfront.net' + + ' https://images.ctfassets.net' + + ' https://topcoder-prod-media.s3.amazonaws.com' + + ' https://www.facebook.com' + + ' https://www.google.com;' + " manifest-src 'self';" + " media-src 'self';" + ' report-uri https://623d4c23f90d055298b24042.endpoint.csper.io/?v=0;' From a13d3d50a679b9852c7dbc39fb4865f4981e9ca5 Mon Sep 17 00:00:00 2001 From: "Luiz R. Rodrigues" Date: Tue, 19 Apr 2022 15:40:30 -0300 Subject: [PATCH 07/10] Added missing domains --- src/server/index.js | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/server/index.js b/src/server/index.js index 12452fe3f0..d38cd97020 100644 --- a/src/server/index.js +++ b/src/server/index.js @@ -148,6 +148,7 @@ async function onExpressJsSetup(server) { + ' https://browser.sentry-cdn.com' + ' https://cdn.heapanalytics.com' + ' https://cdn.segment.com' + + ' https://connect.facebook.net' + ' https://d1of0acg2orgco.cloudfront.net' + ' https://d24oibycet9bsb.cloudfront.net' + ' https://fast.trychameleon.com' @@ -170,22 +171,30 @@ async function onExpressJsSetup(server) { + ' https://api.segment.io' + ' https://cdn.segment.com' + ' https://ekr.zdassets.com' + + ' https://fast.trychameleon.com' + ' https://topcoder.zendesk.com' + ' https://stats.g.doubleclick.net' + ' https://www.google-analytics.com;' + " font-src 'self'" + ' data:' + ` ${config.CDN.PUBLIC}` + + ' https://d1of0acg2orgco.cloudfront.net' + + ' https://d24oibycet9bsb.cloudfront.net' + ' https://43d132d5dbff47c59d9d53ad448f93c2.js.ubembed.com;' + " frame-src 'self'" + ` ${config.URL.AUTH};` + " img-src 'self'" + ` ${config.CDN.PUBLIC}` + ' https://cdn.segment.com' + + ' https://d1of0acg2orgco.cloudfront.net' + + ' https://d24oibycet9bsb.cloudfront.net' + ' https://d2nl5eqipnb33q.cloudfront.net' + ' https://images.ctfassets.net' + + ' https://heapanalytics.com' + + ' https://q.quora.com' + ' https://topcoder-prod-media.s3.amazonaws.com' + ' https://www.facebook.com' + + ' https://www.google-analytics.com' + ' https://www.google.com;' + " manifest-src 'self';" + " media-src 'self';" From ba703959cfaed623bd3e37a9dda29919baa814d9 Mon Sep 17 00:00:00 2001 From: "Luiz R. Rodrigues" Date: Tue, 19 Apr 2022 17:17:26 -0300 Subject: [PATCH 08/10] Added Youtube and Tagmanager --- src/server/index.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/server/index.js b/src/server/index.js index d38cd97020..1a46303e06 100644 --- a/src/server/index.js +++ b/src/server/index.js @@ -182,7 +182,8 @@ async function onExpressJsSetup(server) { + ' https://d24oibycet9bsb.cloudfront.net' + ' https://43d132d5dbff47c59d9d53ad448f93c2.js.ubembed.com;' + " frame-src 'self'" - + ` ${config.URL.AUTH};` + + ` ${config.URL.AUTH}` + + 'https://www.youtube.com;' + " img-src 'self'" + ` ${config.CDN.PUBLIC}` + ' https://cdn.segment.com' @@ -195,7 +196,8 @@ async function onExpressJsSetup(server) { + ' https://topcoder-prod-media.s3.amazonaws.com' + ' https://www.facebook.com' + ' https://www.google-analytics.com' - + ' https://www.google.com;' + + ' https://www.google.com' + + ' https://www.googletagmanager.com;' + " manifest-src 'self';" + " media-src 'self';" + ' report-uri https://623d4c23f90d055298b24042.endpoint.csper.io/?v=0;' From 9c9080525f4f12fe361f8b3997793fa3a89a783e Mon Sep 17 00:00:00 2001 From: "Luiz R. Rodrigues" Date: Tue, 19 Apr 2022 17:50:47 -0300 Subject: [PATCH 09/10] Fix URL string --- src/server/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/server/index.js b/src/server/index.js index 1a46303e06..8a69bc6110 100644 --- a/src/server/index.js +++ b/src/server/index.js @@ -183,7 +183,7 @@ async function onExpressJsSetup(server) { + ' https://43d132d5dbff47c59d9d53ad448f93c2.js.ubembed.com;' + " frame-src 'self'" + ` ${config.URL.AUTH}` - + 'https://www.youtube.com;' + + ' https://www.youtube.com;' + " img-src 'self'" + ` ${config.CDN.PUBLIC}` + ' https://cdn.segment.com' From e4fa8ada90f5e1aa0eeb98da43b2095015aed551 Mon Sep 17 00:00:00 2001 From: "Luiz R. Rodrigues" Date: Tue, 19 Apr 2022 18:13:33 -0300 Subject: [PATCH 10/10] Added Youtube webp thumbnail --- src/server/index.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/server/index.js b/src/server/index.js index 8a69bc6110..c0d2e1fc36 100644 --- a/src/server/index.js +++ b/src/server/index.js @@ -197,7 +197,8 @@ async function onExpressJsSetup(server) { + ' https://www.facebook.com' + ' https://www.google-analytics.com' + ' https://www.google.com' - + ' https://www.googletagmanager.com;' + + ' https://www.googletagmanager.com' + + ' https://i.ytimg.com;' + " manifest-src 'self';" + " media-src 'self';" + ' report-uri https://623d4c23f90d055298b24042.endpoint.csper.io/?v=0;'