disable CSP for /report.html (#151)
* disable CSP for /report.html Fixes #150 * enable minimal helmet() for debug paths
This commit is contained in:
parent
61b3b9ea75
commit
4b2e3f030a
25
server.js
25
server.js
|
@ -12,13 +12,27 @@ const { PORT = 4002 } = process.env
|
||||||
// this allows us to do e.g. `fetch('/_api/blog')` on the server
|
// this allows us to do e.g. `fetch('/_api/blog')` on the server
|
||||||
const fetch = require('node-fetch')
|
const fetch = require('node-fetch')
|
||||||
global.fetch = (url, opts) => {
|
global.fetch = (url, opts) => {
|
||||||
if (url[0] === '/') url = `http://localhost:${PORT}${url}`
|
if (url[0] === '/') {
|
||||||
|
url = `http://localhost:${PORT}${url}`
|
||||||
|
}
|
||||||
return fetch(url, opts)
|
return fetch(url, opts)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const debugPaths = ['/report.html', '/stats.json']
|
||||||
|
|
||||||
|
const debugOnly = (fn) => (req, res, next) => (
|
||||||
|
!~debugPaths.indexOf(req.path) ? next() : fn(req, res, next)
|
||||||
|
)
|
||||||
|
|
||||||
|
const nonDebugOnly = (fn) => (req, res, next) => (
|
||||||
|
~debugPaths.indexOf(req.path) ? next() : fn(req, res, next)
|
||||||
|
)
|
||||||
|
|
||||||
app.use(compression({ threshold: 0 }))
|
app.use(compression({ threshold: 0 }))
|
||||||
|
|
||||||
app.use(helmet({
|
// report.html needs to have CSP disable because it has inline scripts
|
||||||
|
app.use(debugOnly(helmet()))
|
||||||
|
app.use(nonDebugOnly(helmet({
|
||||||
contentSecurityPolicy: {
|
contentSecurityPolicy: {
|
||||||
directives: {
|
directives: {
|
||||||
scriptSrc: [`'self'`, `'sha256-${headScriptChecksum}'`],
|
scriptSrc: [`'self'`, `'sha256-${headScriptChecksum}'`],
|
||||||
|
@ -29,7 +43,7 @@ app.use(helmet({
|
||||||
manifestSrc: [`'self'`]
|
manifestSrc: [`'self'`]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}))
|
})))
|
||||||
|
|
||||||
app.use(serveStatic('assets', {
|
app.use(serveStatic('assets', {
|
||||||
setHeaders: (res) => {
|
setHeaders: (res) => {
|
||||||
|
@ -37,8 +51,9 @@ app.use(serveStatic('assets', {
|
||||||
}
|
}
|
||||||
}))
|
}))
|
||||||
|
|
||||||
app.use('/report.html', express.static('.sapper/client/report.html'))
|
debugPaths.forEach(debugPath => {
|
||||||
app.use('/stats.json', express.static('.sapper/client/stats.json'))
|
app.use(debugPath, express.static(`.sapper/client${debugPath}`))
|
||||||
|
})
|
||||||
|
|
||||||
app.use(sapper())
|
app.use(sapper())
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue