added CSP

2024-11-07 09:49:21 +01:00 · 2024-11-07 09:49:21 +01:00 · 3a79fd4488
commit 3a79fd4488
parent dc30ebb35e
2 changed files with 39 additions and 17 deletions
--- a/app.config.ts
+++ b/app.config.ts
@ -3,6 +3,9 @@ import { VitePWA } from 'vite-plugin-pwa'

 export default defineConfig({
    vite: {
+        html: {
+            cspNonce: 'KAAS_IS_AWESOME',
+        },
        plugins: [
            VitePWA({
                mode: 'development',
--- a/src/entry-server.tsx
+++ b/src/entry-server.tsx
@ -4,13 +4,16 @@ import { installIntoGlobal } from "iterator-helpers-polyfill";

 installIntoGlobal();

-export default createHandler(() => (
+export default createHandler(({ nonce }) => {
+  return (
    <StartServer
-    document={({ assets, children, scripts }) => (
+      document={({ assets, children, scripts }) => {
+        return (
          <html lang="en">
            <head>
              <meta charset="utf-8" />
              <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
+              <meta property="csp-nonce" nonce={nonce} />
              {assets}
            </head>
            <body>
@ -18,6 +21,22 @@ export default createHandler(() => (
              {scripts}
            </body>
          </html>
-    )}
-  />
-));
+        );
+      }} />
+  );
+}, event => {
+  const nonce = crypto.randomUUID();
+  const base = `'self' 'nonce-${nonce}'`;
+
+  const policies = {
+    default: base,
+    connect: `${base} ws://localhost:*`,
+    style: `'self' data: https://fonts.googleapis.com 'unsafe-inline'`,
+    // style: `${base} data: https://fonts.googleapis.com`,
+    font: `${base} https://*.gstatic.com`,
+  } as const;
+
+  event.response.headers.append('Content-Security-Policy', Object.entries(policies).map(([p, v]) => `${p}-src ${v}`).join('; '))
+
+  return { nonce };
+});