Skip to content

Commit

Permalink
CSP is customizable (#499)
Browse files Browse the repository at this point in the history 
CSP, or the content security policy, may now be customized via an
environment variable, `CSP_ORIGINS`. This value may be one or more
(comma-delimited string) of origins that will be allowed to load images,
styles, fonts, and scripts. Note that an allowed origin may load any of
the above-mentioned types of assets.

✅ Closes: #498
  • Loading branch information
@andrew-codes
andrew-codes authored Aug 17, 2024
2 parents ba6e63c + adcfaa0 commit 9ca30b5
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 22 deletions.
37 changes: 19 additions & 18 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,24 +86,25 @@ Ensure you mount a volume to persist game assets, such as cover-art, backgrounds

##### Environment Variables

| Environment Variable | Value | Required? | Notes |
| :------------------- | :----------------------------------------------- | :-------- | :---------------------------------------------------------------- |
| PORT | Defaults to 3000 | Required | Port in which web application is accessible. |
| HOST | Defaults to `localhost` | | The domain name or IP address of the server running Playnite-Web. |
| ADDITIONAL_ORIGINS | Additional origins allowed to request graph API. | | Multiple values may be provided via a comma-delimited string. |
| DB_HOST | IP address/hostname of Mongo DB database | Required | |
| DB_PORT | Port of Mongo DB database | | Default for MongoDB image is 27017 |
| DB_USERNAME | Username to access database | | Only required if disabled anonymous access |
| DB_PASSWORD | Password to access database | | Only required if disabled anonymous access |
| DB_URL | MongoDB connection URL | | Alternative to individual DB connection options |
| DEBUG | `"playnite-web/*"` | | For troubleshooting; send logs to STDIO |
| USERNAME | | | Username used to login |
| PASSWORD | | | Password value used to login |
| SECRET | | | Secret used to protect credentials |
| MQTT_HOST | IP address/hostname of MQTT broker. | Required | |
| MQTT_PORT | Port of MQTT broker | | Default for MQTT image is 1883 |
| MQTT_USERNAME | Username to access MQTT broker | | Only required if disabled anonymous access |
| MQTT_PASSWORD | Password to access MQTT broker | | Only required if disabled anonymous access |
| Environment Variable | Value | Required? | Notes |
| :------------------- | :---------------------------------------------------------------------------- | :-------- | :---------------------------------------------------------------- |
| PORT | Defaults to 3000 | Required | Port in which web application is accessible. |
| HOST | Defaults to `localhost` | | The domain name or IP address of the server running Playnite-Web. |
| ADDITIONAL_ORIGINS | Additional origins allowed to request graph API. | | Multiple values may be provided via a comma-delimited string. |
| CSP_ORIGINS | Origins in which images, styles, fonts, and scripts are allowed to be loaded. | | Multiple values may be provided via a comma-delimited string. |
| DB_HOST | IP address/hostname of Mongo DB database | Required | |
| DB_PORT | Port of Mongo DB database | | Default for MongoDB image is 27017 |
| DB_USERNAME | Username to access database | | Only required if disabled anonymous access |
| DB_PASSWORD | Password to access database | | Only required if disabled anonymous access |
| DB_URL | MongoDB connection URL | | Alternative to individual DB connection options |
| DEBUG | `"playnite-web/*"` | | For troubleshooting; send logs to STDIO |
| USERNAME | | | Username used to login |
| PASSWORD | | | Password value used to login |
| SECRET | | | Secret used to protect credentials |
| MQTT_HOST | IP address/hostname of MQTT broker. | Required | |
| MQTT_PORT | Port of MQTT broker | | Default for MQTT image is 1883 |
| MQTT_USERNAME | Username to access MQTT broker | | Only required if disabled anonymous access |
| MQTT_PASSWORD | Password to access MQTT broker | | Only required if disabled anonymous access |

### Post Deployment Steps

Expand Down
15 changes: 11 additions & 4 deletions apps/playnite-web/app.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ async function run(mqttClient: AsyncMqttClient) {
const signingKey = process.env.SECRET ?? 'secret'
const yoga = createYoga('/api', signingKey, mqttClient)

const cspOrigins = (process.env.CSP_ORIGINS ?? '')
.split(',')
.map((origin) => origin.trim())
app.use(
helmet({
contentSecurityPolicy: {
Expand All @@ -50,10 +53,14 @@ async function run(mqttClient: AsyncMqttClient) {
'unpkg.com',
'*.googleapis.com',
'*.gstatic.com',
],
'script-src': ["'self'", "'unsafe-inline'", 'unpkg.com'],
'img-src': ["'self'", 'raw.githubusercontent.com'],
'font-src': ["'self'", '*.googleapis.com', '*.gstatic.com'],
].concat(cspOrigins),
'script-src': ["'self'", "'unsafe-inline'", 'unpkg.com'].concat(
cspOrigins,
),
'img-src': ["'self'", 'raw.githubusercontent.com'].concat(cspOrigins),
'font-src': ["'self'", '*.googleapis.com', '*.gstatic.com'].concat(
cspOrigins,
),
},
},
}),
Expand Down

0 comments on commit 9ca30b5

Please sign in to comment.