@elliemae/pui-cli 8.39.1 → 8.40.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/server/csp.js +37 -20
- package/dist/esm/server/csp.js +37 -20
- package/dist/types/tsconfig.tsbuildinfo +1 -1
- package/package.json +14 -14
package/dist/cjs/server/csp.js
CHANGED
|
@@ -36,16 +36,19 @@ var import_node_fs = __toESM(require("node:fs"), 1);
|
|
|
36
36
|
var import_node_path = __toESM(require("node:path"), 1);
|
|
37
37
|
var import_crypto = __toESM(require("crypto"), 1);
|
|
38
38
|
var import_express = __toESM(require("express"), 1);
|
|
39
|
-
var
|
|
39
|
+
var import_helmet = __toESM(require("helmet"), 1);
|
|
40
40
|
const CSP_REPORT_URI = "/diagnostics/v1/csp";
|
|
41
41
|
const sources = [
|
|
42
42
|
"'self'",
|
|
43
43
|
"http://localhost:*",
|
|
44
|
+
"https://localhost:*",
|
|
44
45
|
"ws://localhost:*",
|
|
46
|
+
"*.ice.com",
|
|
45
47
|
"*.elliemae.io",
|
|
46
48
|
"*.elliemae.com",
|
|
47
|
-
"*.
|
|
49
|
+
"*.ellieservices.com",
|
|
48
50
|
"*.ellielabs.com",
|
|
51
|
+
"https://cdn.appdynamics.com",
|
|
49
52
|
"http://pdx-col.eum-appdynamics.com",
|
|
50
53
|
"https://pdx-col.eum-appdynamics.com/",
|
|
51
54
|
"https://www.google-analytics.com",
|
|
@@ -74,30 +77,44 @@ const getScriptSrc = () => {
|
|
|
74
77
|
};
|
|
75
78
|
const csp = (app) => {
|
|
76
79
|
app.use((req, res, next) => {
|
|
77
|
-
res.locals.cspNonce = import_crypto.default.randomBytes(
|
|
80
|
+
res.locals.cspNonce = import_crypto.default.randomBytes(32).toString("hex");
|
|
78
81
|
next();
|
|
79
82
|
});
|
|
80
83
|
app.use(
|
|
81
|
-
(0,
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
84
|
+
(0, import_helmet.default)({
|
|
85
|
+
contentSecurityPolicy: {
|
|
86
|
+
directives: {
|
|
87
|
+
baseUri: ["'self'"],
|
|
88
|
+
connectSrc: sources,
|
|
89
|
+
defaultSrc: ["'self'"],
|
|
90
|
+
fontSrc: sources.concat(["data:"]),
|
|
91
|
+
formAction: ["'self'"],
|
|
92
|
+
frameAncestors: sources,
|
|
93
|
+
frameSrc: sources,
|
|
94
|
+
imgSrc: sources.concat(["data:"]),
|
|
95
|
+
objectSrc: ["'none'"],
|
|
96
|
+
scriptSrc: getScriptSrc(),
|
|
97
|
+
scriptSrcAttr: ["'none'"],
|
|
98
|
+
styleSrc: sources.concat(["'unsafe-inline'"]),
|
|
99
|
+
workerSrc: sources,
|
|
100
|
+
upgradeInsecureRequests: [],
|
|
101
|
+
reportUri: CSP_REPORT_URI,
|
|
102
|
+
reportTo: CSP_REPORT_URI
|
|
103
|
+
},
|
|
104
|
+
reportOnly: true
|
|
96
105
|
},
|
|
97
|
-
|
|
106
|
+
xFrameOptions: false,
|
|
107
|
+
xPermittedCrossDomainPolicies: false,
|
|
108
|
+
xDownloadOptions: false,
|
|
109
|
+
xXssProtection: false
|
|
110
|
+
})
|
|
111
|
+
);
|
|
112
|
+
app.use(
|
|
113
|
+
CSP_REPORT_URI,
|
|
114
|
+
import_express.default.json({
|
|
115
|
+
type: ["application/csp-report", "application/reports+json"]
|
|
98
116
|
})
|
|
99
117
|
);
|
|
100
|
-
app.use(CSP_REPORT_URI, import_express.default.json({ type: "application/csp-report" }));
|
|
101
118
|
app.use(CSP_REPORT_URI, (req, res) => {
|
|
102
119
|
console.log("CSP Violation: ", req.body);
|
|
103
120
|
res.status(204).end();
|
package/dist/esm/server/csp.js
CHANGED
|
@@ -2,16 +2,19 @@ import fs from "node:fs";
|
|
|
2
2
|
import path from "node:path";
|
|
3
3
|
import crypto from "crypto";
|
|
4
4
|
import express from "express";
|
|
5
|
-
import
|
|
5
|
+
import helmet from "helmet";
|
|
6
6
|
const CSP_REPORT_URI = "/diagnostics/v1/csp";
|
|
7
7
|
const sources = [
|
|
8
8
|
"'self'",
|
|
9
9
|
"http://localhost:*",
|
|
10
|
+
"https://localhost:*",
|
|
10
11
|
"ws://localhost:*",
|
|
12
|
+
"*.ice.com",
|
|
11
13
|
"*.elliemae.io",
|
|
12
14
|
"*.elliemae.com",
|
|
13
|
-
"*.
|
|
15
|
+
"*.ellieservices.com",
|
|
14
16
|
"*.ellielabs.com",
|
|
17
|
+
"https://cdn.appdynamics.com",
|
|
15
18
|
"http://pdx-col.eum-appdynamics.com",
|
|
16
19
|
"https://pdx-col.eum-appdynamics.com/",
|
|
17
20
|
"https://www.google-analytics.com",
|
|
@@ -40,30 +43,44 @@ const getScriptSrc = () => {
|
|
|
40
43
|
};
|
|
41
44
|
const csp = (app) => {
|
|
42
45
|
app.use((req, res, next) => {
|
|
43
|
-
res.locals.cspNonce = crypto.randomBytes(
|
|
46
|
+
res.locals.cspNonce = crypto.randomBytes(32).toString("hex");
|
|
44
47
|
next();
|
|
45
48
|
});
|
|
46
49
|
app.use(
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
50
|
+
helmet({
|
|
51
|
+
contentSecurityPolicy: {
|
|
52
|
+
directives: {
|
|
53
|
+
baseUri: ["'self'"],
|
|
54
|
+
connectSrc: sources,
|
|
55
|
+
defaultSrc: ["'self'"],
|
|
56
|
+
fontSrc: sources.concat(["data:"]),
|
|
57
|
+
formAction: ["'self'"],
|
|
58
|
+
frameAncestors: sources,
|
|
59
|
+
frameSrc: sources,
|
|
60
|
+
imgSrc: sources.concat(["data:"]),
|
|
61
|
+
objectSrc: ["'none'"],
|
|
62
|
+
scriptSrc: getScriptSrc(),
|
|
63
|
+
scriptSrcAttr: ["'none'"],
|
|
64
|
+
styleSrc: sources.concat(["'unsafe-inline'"]),
|
|
65
|
+
workerSrc: sources,
|
|
66
|
+
upgradeInsecureRequests: [],
|
|
67
|
+
reportUri: CSP_REPORT_URI,
|
|
68
|
+
reportTo: CSP_REPORT_URI
|
|
69
|
+
},
|
|
70
|
+
reportOnly: true
|
|
62
71
|
},
|
|
63
|
-
|
|
72
|
+
xFrameOptions: false,
|
|
73
|
+
xPermittedCrossDomainPolicies: false,
|
|
74
|
+
xDownloadOptions: false,
|
|
75
|
+
xXssProtection: false
|
|
76
|
+
})
|
|
77
|
+
);
|
|
78
|
+
app.use(
|
|
79
|
+
CSP_REPORT_URI,
|
|
80
|
+
express.json({
|
|
81
|
+
type: ["application/csp-report", "application/reports+json"]
|
|
64
82
|
})
|
|
65
83
|
);
|
|
66
|
-
app.use(CSP_REPORT_URI, express.json({ type: "application/csp-report" }));
|
|
67
84
|
app.use(CSP_REPORT_URI, (req, res) => {
|
|
68
85
|
console.log("CSP Violation: ", req.body);
|
|
69
86
|
res.status(204).end();
|