@elliemae/pui-cli 8.41.0 → 8.41.2

package/dist/cjs/server/csp.js

@@ -39,7 +39,6 @@ var import_express = __toESM(require("express"), 1);
 var import_helmet = __toESM(require("helmet"), 1);
 const CSP_REPORT_URI = "/diagnostics/v1/csp";
 const sources = [
-  "'self'",
   "http://localhost:*",
   "https://localhost:*",
   "ws://localhost:*",
@@ -47,12 +46,7 @@ const sources = [
   "*.elliemae.io",
   "*.elliemae.com",
   "*.ellieservices.com",
-  "*.ellielabs.com",
-  "https://cdn.appdynamics.com",
-  "http://pdx-col.eum-appdynamics.com",
-  "https://pdx-col.eum-appdynamics.com/",
-  "https://www.google-analytics.com",
-  "https://www.googletagmanager.com"
+  "*.ellielabs.com"
 ];
 const sendFileWithCSPNonce = ({
   buildPath,
@@ -72,36 +66,34 @@ const sendFileWithCSPNonce = ({
 };
 const getScriptSrc = () => {
   const source = (req, res) => `'nonce-${res.locals.cspNonce}'`;
-  const scriptSrc = sources.concat([source]);
+  const scriptSrc = [source, "'strict-dynamic'"];
   return true ? scriptSrc.concat(["'unsafe-eval'"]) : scriptSrc;
 };
+const getStyleSrc = () => {
+  const source = (req, res) => `'nonce-${res.locals.cspNonce}'`;
+  const scriptSrc = [source, "'strict-dynamic'"];
+  return true ? scriptSrc.concat(["'unsafe-inline'"]) : scriptSrc;
+};
 const csp = (app) => {
   app.use((req, res, next) => {
-    res.locals.cspNonce = import_crypto.default.randomBytes(32).toString("hex");
+    res.locals.cspNonce = import_crypto.default.randomBytes(32).toString("base64");
     next();
   });
   app.use(
     (0, import_helmet.default)({
       contentSecurityPolicy: {
+        useDefaults: false,
         directives: {
-          baseUri: ["'self'"],
-          connectSrc: sources,
-          defaultSrc: ["'self'"],
-          fontSrc: sources.concat(["data:"]),
-          formAction: ["'self'"],
+          defaultSrc: import_helmet.default.contentSecurityPolicy.dangerouslyDisableDefaultSrc,
+          baseUri: ["'none'"],
           frameAncestors: sources,
-          frameSrc: sources,
-          imgSrc: sources.concat(["data:"]),
           objectSrc: ["'none'"],
           scriptSrc: getScriptSrc(),
-          scriptSrcAttr: ["'none'"],
-          styleSrc: sources.concat(["'unsafe-inline'"]),
-          workerSrc: sources,
+          styleSrc: getStyleSrc(),
           upgradeInsecureRequests: [],
-          reportUri: CSP_REPORT_URI,
           reportTo: CSP_REPORT_URI
         },
-        reportOnly: true
+        reportOnly: process.env.CSP_REPORT_ONLY !== "false"
       },
       xFrameOptions: false,
       xPermittedCrossDomainPolicies: false,

package/dist/cjs/server/middlewares.js

@@ -37,6 +37,7 @@ var import_cors = __toESM(require("cors"), 1);
 var import_compression = __toESM(require("compression"), 1);
 var import_express_static_gzip = __toESM(require("express-static-gzip"), 1);
 var import_pino_http = __toESM(require("pino-http"), 1);
+var import_csp = require("./csp.js");
 var import_helpers = require("../webpack/helpers.js");
 const paths = (0, import_helpers.getPaths)();
 const setupDefaultMiddlewares = (app) => {
@@ -52,6 +53,12 @@ const setupDefaultMiddlewares = (app) => {
   app.use(pino);
   app.use((0, import_cors.default)());
   app.options("*", (0, import_cors.default)());
+  (0, import_csp.csp)(app);
+  app.set("Cross-Origin-Opener-Policy", "same-origin-allow-popups");
+  app.set(
+    "Permissions-Policy",
+    "geolocation=(), camera=(), microphone=(), interest-cohort=()"
+  );
   app.use(import_express.default.urlencoded({ extended: false }));
   app.use(import_express.default.text({ type: "text/plain" }));
   app.use(import_express.default.json({ type: "application/json" }));
@@ -59,6 +66,9 @@ const setupDefaultMiddlewares = (app) => {
 const setupAdditionalMiddlewars = (app, options = {}) => {
   const { buildPath = paths.buildPath, basePath = paths.basePath } = options;
   app.use((0, import_compression.default)());
+  app.get(basePath, (req, res) => {
+    (0, import_csp.sendFileWithCSPNonce)({ buildPath, res });
+  });
   app.use(
     basePath,
     (0, import_express_static_gzip.default)(buildPath, {
@@ -68,5 +78,9 @@ const setupAdditionalMiddlewars = (app, options = {}) => {
     })
   );
   app.use((0, import_express_static_gzip.default)("cdn", {}));
+  app.get(
+    "*",
+    (req, res) => (0, import_csp.sendFileWithCSPNonce)({ buildPath, res })
+  );
   return app;
 };

package/dist/cjs/webpack/webpack.prod.babel.js

@@ -57,7 +57,7 @@ const getProdConfig = ({ latestVersion = true } = {}) => {
     },
     optimization: {
       moduleIds: "deterministic",
-      realContentHash: false,
+      // realContentHash: false,
       minimizer: [
         new import_esbuild_loader.EsbuildPlugin({
           target: (0, import_browserslist_to_esbuild.default)(),
@@ -115,7 +115,7 @@ const {
   basePath
 } = (0, import_helpers.getPaths)();
 const htmlWebpackPlugin = new import_html_webpack_plugin.default({
-  inject: !(0, import_helpers.isAppLoaderEnabled)(),
+  inject: !(0, import_helpers.isAppLoaderEnabled)() && process.env.CSP !== "true",
   template: !(0, import_helpers.isAppLoaderEnabled)() ? "app/index.html" : "app/index-app-loader.html",
   minify: {
     removeComments: true,

package/dist/esm/server/csp.js

@@ -5,7 +5,6 @@ import express from "express";
 import helmet from "helmet";
 const CSP_REPORT_URI = "/diagnostics/v1/csp";
 const sources = [
-  "'self'",
   "http://localhost:*",
   "https://localhost:*",
   "ws://localhost:*",
@@ -13,12 +12,7 @@ const sources = [
   "*.elliemae.io",
   "*.elliemae.com",
   "*.ellieservices.com",
-  "*.ellielabs.com",
-  "https://cdn.appdynamics.com",
-  "http://pdx-col.eum-appdynamics.com",
-  "https://pdx-col.eum-appdynamics.com/",
-  "https://www.google-analytics.com",
-  "https://www.googletagmanager.com"
+  "*.ellielabs.com"
 ];
 const sendFileWithCSPNonce = ({
   buildPath,
@@ -38,36 +32,34 @@ const sendFileWithCSPNonce = ({
 };
 const getScriptSrc = () => {
   const source = (req, res) => `'nonce-${res.locals.cspNonce}'`;
-  const scriptSrc = sources.concat([source]);
+  const scriptSrc = [source, "'strict-dynamic'"];
   return true ? scriptSrc.concat(["'unsafe-eval'"]) : scriptSrc;
 };
+const getStyleSrc = () => {
+  const source = (req, res) => `'nonce-${res.locals.cspNonce}'`;
+  const scriptSrc = [source, "'strict-dynamic'"];
+  return true ? scriptSrc.concat(["'unsafe-inline'"]) : scriptSrc;
+};
 const csp = (app) => {
   app.use((req, res, next) => {
-    res.locals.cspNonce = crypto.randomBytes(32).toString("hex");
+    res.locals.cspNonce = crypto.randomBytes(32).toString("base64");
     next();
   });
   app.use(
     helmet({
       contentSecurityPolicy: {
+        useDefaults: false,
         directives: {
-          baseUri: ["'self'"],
-          connectSrc: sources,
-          defaultSrc: ["'self'"],
-          fontSrc: sources.concat(["data:"]),
-          formAction: ["'self'"],
+          defaultSrc: helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc,
+          baseUri: ["'none'"],
           frameAncestors: sources,
-          frameSrc: sources,
-          imgSrc: sources.concat(["data:"]),
           objectSrc: ["'none'"],
           scriptSrc: getScriptSrc(),
-          scriptSrcAttr: ["'none'"],
-          styleSrc: sources.concat(["'unsafe-inline'"]),
-          workerSrc: sources,
+          styleSrc: getStyleSrc(),
           upgradeInsecureRequests: [],
-          reportUri: CSP_REPORT_URI,
           reportTo: CSP_REPORT_URI
         },
-        reportOnly: true
+        reportOnly: process.env.CSP_REPORT_ONLY !== "false"
       },
       xFrameOptions: false,
       xPermittedCrossDomainPolicies: false,

package/dist/esm/server/middlewares.js

@@ -3,6 +3,7 @@ import cors from "cors";
 import compression from "compression";
 import expressStaticGzip from "express-static-gzip";
 import pinoLogger from "pino-http";
+import { csp, sendFileWithCSPNonce } from "./csp.js";
 import { getPaths } from "../webpack/helpers.js";
 const paths = getPaths();
 const setupDefaultMiddlewares = (app) => {
@@ -18,6 +19,12 @@ const setupDefaultMiddlewares = (app) => {
   app.use(pino);
   app.use(cors());
   app.options("*", cors());
+  csp(app);
+  app.set("Cross-Origin-Opener-Policy", "same-origin-allow-popups");
+  app.set(
+    "Permissions-Policy",
+    "geolocation=(), camera=(), microphone=(), interest-cohort=()"
+  );
   app.use(express.urlencoded({ extended: false }));
   app.use(express.text({ type: "text/plain" }));
   app.use(express.json({ type: "application/json" }));
@@ -25,6 +32,9 @@ const setupDefaultMiddlewares = (app) => {
 const setupAdditionalMiddlewars = (app, options = {}) => {
   const { buildPath = paths.buildPath, basePath = paths.basePath } = options;
   app.use(compression());
+  app.get(basePath, (req, res) => {
+    sendFileWithCSPNonce({ buildPath, res });
+  });
   app.use(
     basePath,
     expressStaticGzip(buildPath, {
@@ -34,6 +44,10 @@ const setupAdditionalMiddlewars = (app, options = {}) => {
     })
   );
   app.use(expressStaticGzip("cdn", {}));
+  app.get(
+    "*",
+    (req, res) => sendFileWithCSPNonce({ buildPath, res })
+  );
   return app;
 };
 export {

package/dist/esm/webpack/webpack.prod.babel.js

@@ -29,7 +29,7 @@ const getProdConfig = ({ latestVersion = true } = {}) => {
     },
     optimization: {
       moduleIds: "deterministic",
-      realContentHash: false,
+      // realContentHash: false,
       minimizer: [
         new EsbuildPlugin({
           target: browserslistToEsbuild(),
@@ -87,7 +87,7 @@ const {
   basePath
 } = getPaths();
 const htmlWebpackPlugin = new HtmlWebpackPlugin({
-  inject: !isAppLoaderEnabled(),
+  inject: !isAppLoaderEnabled() && process.env.CSP !== "true",
   template: !isAppLoaderEnabled() ? "app/index.html" : "app/index-app-loader.html",
   minify: {
     removeComments: true,