fix: [VIDECO-10247] Add CSP header (#881)

* [VIDECO-10247] Implement CSP Policy * Revise CSP policy * Fix lint error * Add test for Content-Security-Policy header * Some tweaks to the CSP header * Minor refactoring of CSP directives
opentok · Nov 21, 2024 · dbfef8d · dbfef8d
1 parent 6a1e70f
commit dbfef8d
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 3 deletions.
diff --git a/server/serverMethods.js b/server/serverMethods.js
@@ -61,7 +61,34 @@ function getUserCountry(req) {
 
 const securityHeaders = helmet({
   referrerPolicy: { policy: 'no-referrer-when-downgrade' },
-  contentSecurityPolicy: false,
+  contentSecurityPolicy: {
+    useDefaults: true,
+    directives: {
+      defaultSrc: ["'self'"],
+      frameSrc: ['*'],
+      scriptSrc: [
+        "'unsafe-inline'",
+        "'unsafe-eval'",
+        "'self'",
+        'cdnjs.cloudflare.com',
+        'assets.tokbox.com',
+        'www.google-analytics.com',
+        'https://unpkg.com/@vonage/',
+        'static.opentok.com',
+        'www.googletagmanager.com',
+        'assets.adobedtm.com',
+      ],
+      styleSrc: [
+        "'self'",
+        "'unsafe-inline'",
+        'cdnjs.cloudflare.com',
+        'assets.tokbox.com',
+        'static.opentok.com',
+      ],
+      connectSrc: ['*'],
+      imgSrc: ['*', 'data:'],
+    },
+  },
   frameGuard: false, // configured by tbConfig.allowIframing
 });
 

diff --git a/test/api/server_spec.js b/test/api/server_spec.js
@@ -73,6 +73,7 @@ describe('OpenTokRTC server', () => {
       .get('/room/unitTestRoom/info')
       .set('Accept', 'application/json')
       .expect('Content-Type', new RegExp('application/json'))
+      .expect('Content-Security-Policy', "default-src 'self';frame-src *;script-src 'unsafe-inline' 'unsafe-eval' 'self' cdnjs.cloudflare.com assets.tokbox.com www.google-analytics.com https://unpkg.com/@vonage/client-sdk-video@2/dist/js/opentok.js static.opentok.com www.googletagmanager.com assets.adobedtm.com;style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com assets.tokbox.com static.opentok.com;connect-src *;img-src * data:")
       .expect(checkForAttributes.bind(undefined, RoomInfo))
       .expect(200, done);
   });

diff --git a/test/unit/chatController_spec.js b/test/unit/chatController_spec.js
@@ -78,7 +78,7 @@ describe('ChatController', () => {
     });
 
     it('should initialize properly the object and return the handlers set when called without '
-       + 'handlers', sinon.test(function (done) {
+       + 'handlers', sinon.test((done) => {
       var expectedHandlers = {
         updatedRemotely: {
           name: 'roomStatus:updatedRemotely',
@@ -93,7 +93,7 @@ describe('ChatController', () => {
     }));
 
     it('should initialize properly the object and return the handlers set when called with '
-       + 'handlers', sinon.test(function (done) {
+       + 'handlers', sinon.test((done) => {
       var expectedHandlers = {
         updatedRemotely: {
           name: 'changedRoomStatus:changedUpdatedRemotely',