@elliemae/pui-cli 8.41.0 → 8.41.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/server/csp.js +4 -20
- package/dist/cjs/server/middlewares.js +14 -0
- package/dist/cjs/webpack/webpack.prod.babel.js +1 -1
- package/dist/esm/server/csp.js +4 -20
- package/dist/esm/server/middlewares.js +14 -0
- package/dist/esm/webpack/webpack.prod.babel.js +1 -1
- package/dist/types/tsconfig.tsbuildinfo +1 -1
- package/package.json +2 -2
package/dist/cjs/server/csp.js
CHANGED
|
@@ -39,7 +39,6 @@ var import_express = __toESM(require("express"), 1);
|
|
|
39
39
|
var import_helmet = __toESM(require("helmet"), 1);
|
|
40
40
|
const CSP_REPORT_URI = "/diagnostics/v1/csp";
|
|
41
41
|
const sources = [
|
|
42
|
-
"'self'",
|
|
43
42
|
"http://localhost:*",
|
|
44
43
|
"https://localhost:*",
|
|
45
44
|
"ws://localhost:*",
|
|
@@ -47,12 +46,7 @@ const sources = [
|
|
|
47
46
|
"*.elliemae.io",
|
|
48
47
|
"*.elliemae.com",
|
|
49
48
|
"*.ellieservices.com",
|
|
50
|
-
"*.ellielabs.com"
|
|
51
|
-
"https://cdn.appdynamics.com",
|
|
52
|
-
"http://pdx-col.eum-appdynamics.com",
|
|
53
|
-
"https://pdx-col.eum-appdynamics.com/",
|
|
54
|
-
"https://www.google-analytics.com",
|
|
55
|
-
"https://www.googletagmanager.com"
|
|
49
|
+
"*.ellielabs.com"
|
|
56
50
|
];
|
|
57
51
|
const sendFileWithCSPNonce = ({
|
|
58
52
|
buildPath,
|
|
@@ -72,7 +66,7 @@ const sendFileWithCSPNonce = ({
|
|
|
72
66
|
};
|
|
73
67
|
const getScriptSrc = () => {
|
|
74
68
|
const source = (req, res) => `'nonce-${res.locals.cspNonce}'`;
|
|
75
|
-
const scriptSrc =
|
|
69
|
+
const scriptSrc = [source, "strict-dynamic"];
|
|
76
70
|
return true ? scriptSrc.concat(["'unsafe-eval'"]) : scriptSrc;
|
|
77
71
|
};
|
|
78
72
|
const csp = (app) => {
|
|
@@ -84,24 +78,14 @@ const csp = (app) => {
|
|
|
84
78
|
(0, import_helmet.default)({
|
|
85
79
|
contentSecurityPolicy: {
|
|
86
80
|
directives: {
|
|
87
|
-
baseUri: ["'
|
|
88
|
-
connectSrc: sources,
|
|
89
|
-
defaultSrc: ["'self'"],
|
|
90
|
-
fontSrc: sources.concat(["data:"]),
|
|
91
|
-
formAction: ["'self'"],
|
|
81
|
+
baseUri: ["'none'"],
|
|
92
82
|
frameAncestors: sources,
|
|
93
|
-
frameSrc: sources,
|
|
94
|
-
imgSrc: sources.concat(["data:"]),
|
|
95
83
|
objectSrc: ["'none'"],
|
|
96
84
|
scriptSrc: getScriptSrc(),
|
|
97
|
-
scriptSrcAttr: ["'none'"],
|
|
98
|
-
styleSrc: sources.concat(["'unsafe-inline'"]),
|
|
99
|
-
workerSrc: sources,
|
|
100
85
|
upgradeInsecureRequests: [],
|
|
101
|
-
reportUri: CSP_REPORT_URI,
|
|
102
86
|
reportTo: CSP_REPORT_URI
|
|
103
87
|
},
|
|
104
|
-
reportOnly:
|
|
88
|
+
reportOnly: process.env.CSP_REPORT_ONLY !== "false"
|
|
105
89
|
},
|
|
106
90
|
xFrameOptions: false,
|
|
107
91
|
xPermittedCrossDomainPolicies: false,
|
|
@@ -37,6 +37,7 @@ var import_cors = __toESM(require("cors"), 1);
|
|
|
37
37
|
var import_compression = __toESM(require("compression"), 1);
|
|
38
38
|
var import_express_static_gzip = __toESM(require("express-static-gzip"), 1);
|
|
39
39
|
var import_pino_http = __toESM(require("pino-http"), 1);
|
|
40
|
+
var import_csp = require("./csp.js");
|
|
40
41
|
var import_helpers = require("../webpack/helpers.js");
|
|
41
42
|
const paths = (0, import_helpers.getPaths)();
|
|
42
43
|
const setupDefaultMiddlewares = (app) => {
|
|
@@ -52,6 +53,12 @@ const setupDefaultMiddlewares = (app) => {
|
|
|
52
53
|
app.use(pino);
|
|
53
54
|
app.use((0, import_cors.default)());
|
|
54
55
|
app.options("*", (0, import_cors.default)());
|
|
56
|
+
(0, import_csp.csp)(app);
|
|
57
|
+
app.set("Cross-Origin-Opener-Policy", "same-origin-allow-popups");
|
|
58
|
+
app.set(
|
|
59
|
+
"Permissions-Policy",
|
|
60
|
+
"geolocation=(), camera=(), microphone=(), interest-cohort=()"
|
|
61
|
+
);
|
|
55
62
|
app.use(import_express.default.urlencoded({ extended: false }));
|
|
56
63
|
app.use(import_express.default.text({ type: "text/plain" }));
|
|
57
64
|
app.use(import_express.default.json({ type: "application/json" }));
|
|
@@ -59,6 +66,9 @@ const setupDefaultMiddlewares = (app) => {
|
|
|
59
66
|
const setupAdditionalMiddlewars = (app, options = {}) => {
|
|
60
67
|
const { buildPath = paths.buildPath, basePath = paths.basePath } = options;
|
|
61
68
|
app.use((0, import_compression.default)());
|
|
69
|
+
app.get(basePath, (req, res) => {
|
|
70
|
+
(0, import_csp.sendFileWithCSPNonce)({ buildPath, res });
|
|
71
|
+
});
|
|
62
72
|
app.use(
|
|
63
73
|
basePath,
|
|
64
74
|
(0, import_express_static_gzip.default)(buildPath, {
|
|
@@ -68,5 +78,9 @@ const setupAdditionalMiddlewars = (app, options = {}) => {
|
|
|
68
78
|
})
|
|
69
79
|
);
|
|
70
80
|
app.use((0, import_express_static_gzip.default)("cdn", {}));
|
|
81
|
+
app.get(
|
|
82
|
+
"*",
|
|
83
|
+
(req, res) => (0, import_csp.sendFileWithCSPNonce)({ buildPath, res })
|
|
84
|
+
);
|
|
71
85
|
return app;
|
|
72
86
|
};
|
|
@@ -57,7 +57,7 @@ const getProdConfig = ({ latestVersion = true } = {}) => {
|
|
|
57
57
|
},
|
|
58
58
|
optimization: {
|
|
59
59
|
moduleIds: "deterministic",
|
|
60
|
-
realContentHash: false,
|
|
60
|
+
// realContentHash: false,
|
|
61
61
|
minimizer: [
|
|
62
62
|
new import_esbuild_loader.EsbuildPlugin({
|
|
63
63
|
target: (0, import_browserslist_to_esbuild.default)(),
|
package/dist/esm/server/csp.js
CHANGED
|
@@ -5,7 +5,6 @@ import express from "express";
|
|
|
5
5
|
import helmet from "helmet";
|
|
6
6
|
const CSP_REPORT_URI = "/diagnostics/v1/csp";
|
|
7
7
|
const sources = [
|
|
8
|
-
"'self'",
|
|
9
8
|
"http://localhost:*",
|
|
10
9
|
"https://localhost:*",
|
|
11
10
|
"ws://localhost:*",
|
|
@@ -13,12 +12,7 @@ const sources = [
|
|
|
13
12
|
"*.elliemae.io",
|
|
14
13
|
"*.elliemae.com",
|
|
15
14
|
"*.ellieservices.com",
|
|
16
|
-
"*.ellielabs.com"
|
|
17
|
-
"https://cdn.appdynamics.com",
|
|
18
|
-
"http://pdx-col.eum-appdynamics.com",
|
|
19
|
-
"https://pdx-col.eum-appdynamics.com/",
|
|
20
|
-
"https://www.google-analytics.com",
|
|
21
|
-
"https://www.googletagmanager.com"
|
|
15
|
+
"*.ellielabs.com"
|
|
22
16
|
];
|
|
23
17
|
const sendFileWithCSPNonce = ({
|
|
24
18
|
buildPath,
|
|
@@ -38,7 +32,7 @@ const sendFileWithCSPNonce = ({
|
|
|
38
32
|
};
|
|
39
33
|
const getScriptSrc = () => {
|
|
40
34
|
const source = (req, res) => `'nonce-${res.locals.cspNonce}'`;
|
|
41
|
-
const scriptSrc =
|
|
35
|
+
const scriptSrc = [source, "strict-dynamic"];
|
|
42
36
|
return true ? scriptSrc.concat(["'unsafe-eval'"]) : scriptSrc;
|
|
43
37
|
};
|
|
44
38
|
const csp = (app) => {
|
|
@@ -50,24 +44,14 @@ const csp = (app) => {
|
|
|
50
44
|
helmet({
|
|
51
45
|
contentSecurityPolicy: {
|
|
52
46
|
directives: {
|
|
53
|
-
baseUri: ["'
|
|
54
|
-
connectSrc: sources,
|
|
55
|
-
defaultSrc: ["'self'"],
|
|
56
|
-
fontSrc: sources.concat(["data:"]),
|
|
57
|
-
formAction: ["'self'"],
|
|
47
|
+
baseUri: ["'none'"],
|
|
58
48
|
frameAncestors: sources,
|
|
59
|
-
frameSrc: sources,
|
|
60
|
-
imgSrc: sources.concat(["data:"]),
|
|
61
49
|
objectSrc: ["'none'"],
|
|
62
50
|
scriptSrc: getScriptSrc(),
|
|
63
|
-
scriptSrcAttr: ["'none'"],
|
|
64
|
-
styleSrc: sources.concat(["'unsafe-inline'"]),
|
|
65
|
-
workerSrc: sources,
|
|
66
51
|
upgradeInsecureRequests: [],
|
|
67
|
-
reportUri: CSP_REPORT_URI,
|
|
68
52
|
reportTo: CSP_REPORT_URI
|
|
69
53
|
},
|
|
70
|
-
reportOnly:
|
|
54
|
+
reportOnly: process.env.CSP_REPORT_ONLY !== "false"
|
|
71
55
|
},
|
|
72
56
|
xFrameOptions: false,
|
|
73
57
|
xPermittedCrossDomainPolicies: false,
|
|
@@ -3,6 +3,7 @@ import cors from "cors";
|
|
|
3
3
|
import compression from "compression";
|
|
4
4
|
import expressStaticGzip from "express-static-gzip";
|
|
5
5
|
import pinoLogger from "pino-http";
|
|
6
|
+
import { csp, sendFileWithCSPNonce } from "./csp.js";
|
|
6
7
|
import { getPaths } from "../webpack/helpers.js";
|
|
7
8
|
const paths = getPaths();
|
|
8
9
|
const setupDefaultMiddlewares = (app) => {
|
|
@@ -18,6 +19,12 @@ const setupDefaultMiddlewares = (app) => {
|
|
|
18
19
|
app.use(pino);
|
|
19
20
|
app.use(cors());
|
|
20
21
|
app.options("*", cors());
|
|
22
|
+
csp(app);
|
|
23
|
+
app.set("Cross-Origin-Opener-Policy", "same-origin-allow-popups");
|
|
24
|
+
app.set(
|
|
25
|
+
"Permissions-Policy",
|
|
26
|
+
"geolocation=(), camera=(), microphone=(), interest-cohort=()"
|
|
27
|
+
);
|
|
21
28
|
app.use(express.urlencoded({ extended: false }));
|
|
22
29
|
app.use(express.text({ type: "text/plain" }));
|
|
23
30
|
app.use(express.json({ type: "application/json" }));
|
|
@@ -25,6 +32,9 @@ const setupDefaultMiddlewares = (app) => {
|
|
|
25
32
|
const setupAdditionalMiddlewars = (app, options = {}) => {
|
|
26
33
|
const { buildPath = paths.buildPath, basePath = paths.basePath } = options;
|
|
27
34
|
app.use(compression());
|
|
35
|
+
app.get(basePath, (req, res) => {
|
|
36
|
+
sendFileWithCSPNonce({ buildPath, res });
|
|
37
|
+
});
|
|
28
38
|
app.use(
|
|
29
39
|
basePath,
|
|
30
40
|
expressStaticGzip(buildPath, {
|
|
@@ -34,6 +44,10 @@ const setupAdditionalMiddlewars = (app, options = {}) => {
|
|
|
34
44
|
})
|
|
35
45
|
);
|
|
36
46
|
app.use(expressStaticGzip("cdn", {}));
|
|
47
|
+
app.get(
|
|
48
|
+
"*",
|
|
49
|
+
(req, res) => sendFileWithCSPNonce({ buildPath, res })
|
|
50
|
+
);
|
|
37
51
|
return app;
|
|
38
52
|
};
|
|
39
53
|
export {
|