From adcfaa0a279b8ec684b5ce5207822d81f22d2506 Mon Sep 17 00:00:00 2001 From: Andrew Smith Date: Sat, 17 Aug 2024 12:16:54 -0400 Subject: [PATCH] =?UTF-8?q?feat(ui):=20=F0=9F=8E=B8=20CSP=20is=20customiza?= =?UTF-8?q?ble?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CSP, or the content security policy, may now be customized via an environment variable, `CSP_ORIGINS`. This value may be one or more (comma-delimited string) of origins that will be allowed to load images, styles, fonts, and scripts. Note that an allowed origin may load any of the above mentioned types of asset. ✅ Closes: #498 --- README.md | 37 +++++++++++++++++++------------------ apps/playnite-web/app.ts | 15 +++++++++++---- 2 files changed, 30 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index b82afa8c6..fce5335ab 100755 --- a/README.md +++ b/README.md @@ -86,24 +86,25 @@ Ensure you mount a volume to persist game assets, such as cover-art, backgrounds ##### Environment Variables -| Environment Variable | Value | Required? | Notes | -| :------------------- | :----------------------------------------------- | :-------- | :---------------------------------------------------------------- | -| PORT | Defaults to 3000 | Required | Port in which web application is accessible. | -| HOST | Defaults to `localhost` | | The domain name or IP address of the server running Playnite-Web. | -| ADDITIONAL_ORIGINS | Additional origins allowed to request graph API. | | Multiple values may be provided via a comma-delimited string. | -| DB_HOST | IP address/hostname of Mongo DB database | Required | | -| DB_PORT | Port of Mongo DB database | | Default for MongoDB image is 27017 | -| DB_USERNAME | Username to access database | | Only required if disabled anonymous access | -| DB_PASSWORD | Password to access database | | Only required if disabled anonymous access | -| DB_URL | MongoDB connection URL | | Alternative to individual DB connection options | -| DEBUG | `"playnite-web/*"` | | For troubleshooting; send logs to STDIO | -| USERNAME | | | Username used to login | -| PASSWORD | | | Password value used to login | -| SECRET | | | Secret used to protect credentials | -| MQTT_HOST | IP address/hostname of MQTT broker. | Required | | -| MQTT_PORT | Port of MQTT broker | | Default for MQTT image is 1883 | -| MQTT_USERNAME | Username to access MQTT broker | | Only required if disabled anonymous access | -| MQTT_PASSWORD | Password to access MQTT broker | | Only required if disabled anonymous access | +| Environment Variable | Value | Required? | Notes | +| :------------------- | :---------------------------------------------------------------------------- | :-------- | :---------------------------------------------------------------- | +| PORT | Defaults to 3000 | Required | Port in which web application is accessible. | +| HOST | Defaults to `localhost` | | The domain name or IP address of the server running Playnite-Web. | +| ADDITIONAL_ORIGINS | Additional origins allowed to request graph API. | | Multiple values may be provided via a comma-delimited string. | +| CSP_ORIGINS | Origins in which images, styles, fonts, and scripts are allowed to be loaded. | | Multiple values may be provided via a comma-delimited string. | +| DB_HOST | IP address/hostname of Mongo DB database | Required | | +| DB_PORT | Port of Mongo DB database | | Default for MongoDB image is 27017 | +| DB_USERNAME | Username to access database | | Only required if disabled anonymous access | +| DB_PASSWORD | Password to access database | | Only required if disabled anonymous access | +| DB_URL | MongoDB connection URL | | Alternative to individual DB connection options | +| DEBUG | `"playnite-web/*"` | | For troubleshooting; send logs to STDIO | +| USERNAME | | | Username used to login | +| PASSWORD | | | Password value used to login | +| SECRET | | | Secret used to protect credentials | +| MQTT_HOST | IP address/hostname of MQTT broker. | Required | | +| MQTT_PORT | Port of MQTT broker | | Default for MQTT image is 1883 | +| MQTT_USERNAME | Username to access MQTT broker | | Only required if disabled anonymous access | +| MQTT_PASSWORD | Password to access MQTT broker | | Only required if disabled anonymous access | ### Post Deployment Steps diff --git a/apps/playnite-web/app.ts b/apps/playnite-web/app.ts index d26b5f830..30ce6d549 100755 --- a/apps/playnite-web/app.ts +++ b/apps/playnite-web/app.ts @@ -32,6 +32,9 @@ async function run(mqttClient: AsyncMqttClient) { const signingKey = process.env.SECRET ?? 'secret' const yoga = createYoga('/api', signingKey, mqttClient) + const cspOrigins = (process.env.CSP_ORIGINS ?? '') + .split(',') + .map((origin) => origin.trim()) app.use( helmet({ contentSecurityPolicy: { @@ -50,10 +53,14 @@ async function run(mqttClient: AsyncMqttClient) { 'unpkg.com', '*.googleapis.com', '*.gstatic.com', - ], - 'script-src': ["'self'", "'unsafe-inline'", 'unpkg.com'], - 'img-src': ["'self'", 'raw.githubusercontent.com'], - 'font-src': ["'self'", '*.googleapis.com', '*.gstatic.com'], + ].concat(cspOrigins), + 'script-src': ["'self'", "'unsafe-inline'", 'unpkg.com'].concat( + cspOrigins, + ), + 'img-src': ["'self'", 'raw.githubusercontent.com'].concat(cspOrigins), + 'font-src': ["'self'", '*.googleapis.com', '*.gstatic.com'].concat( + cspOrigins, + ), }, }, }),