@forge/csp 0.0.0-experimental-c3d0263 → 0.0.0-experimental-f85f9b1

package/CHANGELOG.md

@@ -1,6 +1,66 @@
 # @forge/csp
 
-## 0.0.0-experimental-c3d0263
+## 2.1.1
+
+### Patch Changes
+
+- 907ce6c: Add navigate-to CSP directive
+
+## 2.1.1-next.0
+
+### Patch Changes
+
+- 907ce6c: Add navigate-to CSP directive
+
+## 2.1.0
+
+### Minor Changes
+
+- eeee3d3: Added ws://localhost to CSP
+
+## 2.1.0-next.0
+
+### Minor Changes
+
+- eeee3d3f: Added ws://localhost to CSP
+
+## 2.0.1
+
+### Patch Changes
+
+- 2a60561: Allow Forge Content Security Policy to load stylesheets from unpkg.com to enable an interim theme mounting solution for Atlassian Design System: Design Tokens
+
+## 2.0.1-next.0
+
+### Patch Changes
+
+- 2a605619: Allow Forge Content Security Policy to load stylesheets from unpkg.com to enable an interim theme mounting solution for Atlassian Design System: Design Tokens
+
+## 2.0.0
+
+### Major Changes
+
+- 3c0ac54: Move egress related services out of @forge/csp into new @forge/egress package
+
+## 2.0.0-next.0
+
+### Major Changes
+
+- 3c0ac54: Move egress related services out of @forge/csp into new @forge/egress package
+
+## 1.11.0
+
+### Minor Changes
+
+- 671a6a63: Skip generating hashes for inline scripts if unsafe-inline is provided
+
+## 1.11.0-next.0
+
+### Minor Changes
+
+- 671a6a6: Skip generating hashes for inline scripts if unsafe-inline is provided
+
+## 1.10.0
 
 ### Minor Changes
 

package/out/csp/csp-injection-service.d.ts

@@ -4,7 +4,8 @@ export declare class CSPInjectionService {
     private getCSPReportUri;
     private getForgeGlobalCSP;
     private getExistingCSPDetails;
+    private getConnectSrc;
     private getFrameAncestors;
-    getInjectableCSP: (existingCSPDetails: CSPDetails, env: LambdaEnvironment, tunnelCSPReporterUri?: string | undefined) => string[];
+    getInjectableCSP: (existingCSPDetails: CSPDetails, microsEnv: LambdaEnvironment, tunnelCSPReporterUri?: string) => string[];
 }
 //# sourceMappingURL=csp-injection-service.d.ts.map

package/out/csp/csp-injection-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"csp-injection-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-injection-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,UAAU,EAAmB,MAAM,UAAU,CAAC;AAUvD,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,eAAe;IAQvB,OAAO,CAAC,iBAAiB;IAIzB,OAAO,CAAC,qBAAqB;IAI7B,OAAO,CAAC,iBAAiB;IAalB,gBAAgB,uBACD,UAAU,OACzB,iBAAiB,gDAErB,MAAM,EAAE,CA4CT;CACH"}
+{"version":3,"file":"csp-injection-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-injection-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,UAAU,EAAmB,MAAM,UAAU,CAAC;AAUvD,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,iBAAiB;IAIzB,OAAO,CAAC,qBAAqB;IAI7B,OAAO,CAAC,aAAa;IAQrB,OAAO,CAAC,iBAAiB;IAiBlB,gBAAgB,uBACD,UAAU,aACnB,iBAAiB,yBACL,MAAM,KAC5B,MAAM,EAAE,CAqDT;CACH"}

package/out/csp/csp-injection-service.js

@@ -10,10 +10,10 @@ const atlassianImageHosts = {
 const gravatarUrl = 'https://secure.gravatar.com';
 class CSPInjectionService {
     constructor() {
-        this.getInjectableCSP = (existingCSPDetails, env, tunnelCSPReporterUri) => {
-            const reportUri = tunnelCSPReporterUri || this.getCSPReportUri(env);
+        this.getInjectableCSP = (existingCSPDetails, microsEnv, tunnelCSPReporterUri) => {
+            const reportUri = tunnelCSPReporterUri || this.getCSPReportUri(microsEnv);
             const defaultSrc = `'self'`;
-            const frameAncestors = ["'self'", ...this.getFrameAncestors(env)].join(' ');
+            const frameAncestors = ["'self'", ...this.getFrameAncestors(microsEnv)].join(' ');
             const frameSrc = ["'self'", ...this.getExistingCSPDetails(types_1.ExternalCspType.FRAME_SRC, existingCSPDetails)].join(' ');
             const fontSrc = ["'self'", ...this.getExistingCSPDetails(types_1.ExternalCspType.FONT_SRC, existingCSPDetails)].join(' ');
             const imgSrc = [
@@ -21,7 +21,7 @@ class CSPInjectionService {
                 'data:',
                 'blob:',
                 gravatarUrl,
-                ...atlassianImageHosts[env],
+                ...atlassianImageHosts[microsEnv],
                 ...this.getExistingCSPDetails(types_1.ExternalCspType.IMG_SRC, existingCSPDetails)
             ].join(' ');
             const mediaSrc = [
@@ -30,13 +30,18 @@ class CSPInjectionService {
                 'blob:',
                 ...this.getExistingCSPDetails(types_1.ExternalCspType.MEDIA_SRC, existingCSPDetails)
             ].join(' ');
-            const connectSrc = ["'self'", ...this.getExistingCSPDetails(types_1.ExternalCspType.CONNECT_SRC, existingCSPDetails)].join(' ');
+            const connectSrc = [
+                "'self'",
+                ...this.getConnectSrc(!!tunnelCSPReporterUri),
+                ...this.getExistingCSPDetails(types_1.ExternalCspType.CONNECT_SRC, existingCSPDetails)
+            ].join(' ');
             const scriptSrc = [
                 "'self'",
-                this.getForgeGlobalCSP(env),
+                this.getForgeGlobalCSP(microsEnv),
                 ...this.getExistingCSPDetails(types_1.ExternalCspType.SCRIPT_SRC, existingCSPDetails)
             ].join(' ');
             const styleSrc = ["'self'", ...this.getExistingCSPDetails(types_1.ExternalCspType.STYLE_SRC, existingCSPDetails)].join(' ');
+            const navigateTo = ["'self'"];
             return [
                 `default-src ${defaultSrc}`,
                 `frame-ancestors ${frameAncestors}`,
@@ -46,38 +51,43 @@ class CSPInjectionService {
                 `media-src ${mediaSrc}`,
                 `connect-src ${connectSrc}`,
                 `script-src ${scriptSrc}`,
-                `style-src ${styleSrc}`,
+                `navigate-to ${navigateTo}`,
+                `style-src ${styleSrc} https://unpkg.com/@atlaskit/tokens@0.10.30/css/atlassian-light.css https://unpkg.com/@atlaskit/tokens@0.10.30/css/atlassian-dark.css`,
                 `form-action 'self'`,
                 `sandbox allow-downloads allow-forms allow-modals allow-pointer-lock allow-same-origin allow-scripts`,
                 `report-uri ${reportUri}`
             ];
         };
     }
-    getCSPReportUri(env, tunnelCSPReporterUri) {
-        if (tunnelCSPReporterUri)
-            return tunnelCSPReporterUri;
-        if (env === 'prod')
-            return 'https://web-security-reports.services.atlassian.com/csp-report/forge-cdn';
-        return 'https://web-security-reports.stg.services.atlassian.com/csp-report/forge-cdn';
+    getCSPReportUri(microsEnv) {
+        if (microsEnv === 'dev' || microsEnv === 'stg')
+            return 'https://web-security-reports.stg.services.atlassian.com/csp-report/forge-cdn';
+        return 'https://web-security-reports.services.atlassian.com/csp-report/forge-cdn';
     }
-    getForgeGlobalCSP(env) {
-        return `https://forge.cdn.${env}.atlassian-dev.net`;
+    getForgeGlobalCSP(microsEnv) {
+        return `https://forge.cdn.${microsEnv}.atlassian-dev.net`;
     }
     getExistingCSPDetails(cspType, cspDetails) {
         var _a;
         return (_a = cspDetails[cspType]) !== null && _a !== void 0 ? _a : [];
     }
-    getFrameAncestors(env) {
-        if (env === 'prod')
-            return ['*.atlassian.net', 'bitbucket.org', '*.jira.com', '*.atlassian.com'];
-        return [
-            '*.jira-dev.com',
-            'http://localhost:*',
-            '*.devbucket.org',
-            'https://staging.bb-inf.net',
-            'https://integration.bb-inf.net',
-            '*.atl-paas.net'
-        ];
+    getConnectSrc(isTunnelling) {
+        if (isTunnelling)
+            return ['ws://localhost:*', 'http://localhost:*'];
+        return [];
+    }
+    getFrameAncestors(microsEnv) {
+        if (microsEnv === 'dev' || microsEnv === 'stg') {
+            return [
+                '*.jira-dev.com',
+                'http://localhost:*',
+                '*.devbucket.org',
+                'https://staging.bb-inf.net',
+                'https://integration.bb-inf.net',
+                '*.atl-paas.net'
+            ];
+        }
+        return ['*.atlassian.net', 'bitbucket.org', '*.jira.com', '*.atlassian.com'];
     }
 }
 exports.CSPInjectionService = CSPInjectionService;

package/out/csp/csp-processing-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"csp-processing-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-processing-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,WAAW,EAAS,MAAM,iBAAiB,CAAC;AAK1D,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,YAAY,EAAuB,MAAM,UAAU,CAAC;AAE7F,qBAAa,iBAAkB,SAAQ,KAAK;;CAI3C;AAMD,qBAAa,oBAAoB;IAanB,OAAO,CAAC,QAAQ,CAAC,MAAM;IAXnC,OAAO,CAAC,mBAAmB,CAAuB;IAElD,OAAO,CAAC,2BAA2B,CAAqD;IACxF,OAAO,CAAC,6BAA6B,CAAa;IAClD,OAAO,CAAC,oBAAoB,CAAgF;IAE5G,OAAO,CAAC,qBAAqB,CAI3B;gBAC2B,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;IAElD,aAAa,CAAC,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,WAAW,GAAG,UAAU;IAkBvE,wBAAwB,CAAC,kBAAkB,EAAE,kBAAkB,GAAG,MAAM,EAAE;IASjF,OAAO,CAAC,sBAAsB;IAW9B,OAAO,CAAC,2BAA2B;IAgBnC,OAAO,CAAC,WAAW;IASnB,OAAO,CAAC,YAAY;IASpB,OAAO,CAAC,mBAAmB;IAoB3B,OAAO,CAAC,qBAAqB;IAS7B,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,oBAAoB;IAM5B,OAAO,CAAC,mBAAmB;IAW3B,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,WAAW;IAKnB,OAAO,CAAC,oBAAoB;CAa7B"}
+{"version":3,"file":"csp-processing-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-processing-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,WAAW,EAAS,MAAM,iBAAiB,CAAC;AAK1D,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,YAAY,EAAuB,MAAM,UAAU,CAAC;AAE7F,qBAAa,iBAAkB,SAAQ,KAAK;;CAI3C;AAMD,qBAAa,oBAAoB;IAanB,OAAO,CAAC,QAAQ,CAAC,MAAM;IAXnC,OAAO,CAAC,mBAAmB,CAAuB;IAElD,OAAO,CAAC,2BAA2B,CAAqD;IACxF,OAAO,CAAC,6BAA6B,CAAa;IAClD,OAAO,CAAC,oBAAoB,CAAgF;IAE5G,OAAO,CAAC,qBAAqB,CAI3B;gBAC2B,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;IAElD,aAAa,CAAC,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,WAAW,GAAG,UAAU;IAkBvE,wBAAwB,CAAC,kBAAkB,EAAE,kBAAkB,GAAG,MAAM,EAAE;IASjF,OAAO,CAAC,sBAAsB;IAW9B,OAAO,CAAC,2BAA2B;IAgBnC,OAAO,CAAC,WAAW;IASnB,OAAO,CAAC,YAAY;IAQpB,OAAO,CAAC,mBAAmB;IAoB3B,OAAO,CAAC,qBAAqB;IAS7B,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,oBAAoB;IAM5B,OAAO,CAAC,mBAAmB;IAW3B,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,WAAW;IAKnB,OAAO,CAAC,oBAAoB;CAa7B"}

package/out/csp/csp-processing-service.js

@@ -71,8 +71,8 @@ class CSPProcessingService {
     }
     getScriptSrc($, userScriptSrc) {
         var _a;
-        const generatedScriptHashes = this.getInlineScriptHashes($);
         const validUserScriptSrc = (_a = userScriptSrc === null || userScriptSrc === void 0 ? void 0 : userScriptSrc.filter((x) => this.isValidUserScriptSrc(x))) !== null && _a !== void 0 ? _a : [];
+        const generatedScriptHashes = validUserScriptSrc.includes('unsafe-inline') ? [] : this.getInlineScriptHashes($);
         const { scriptSrc, userScriptHashes } = this.extractUniqueHashes(validUserScriptSrc, generatedScriptHashes);
         return [...scriptSrc, ...generatedScriptHashes, ...userScriptHashes].map((x) => this.formatScriptSrc(x));
     }
@@ -133,7 +133,7 @@ class CSPProcessingService {
             this.logger.info('discarding potentially-malicious CSP');
             return {};
         }
-        return content_security_policy_parser_1.default(cspContent);
+        return (0, content_security_policy_parser_1.default)(cspContent);
     }
 }
 exports.CSPProcessingService = CSPProcessingService;

package/out/index.d.ts

@@ -1,4 +1,3 @@
 export * from './csp';
-export * from './egress';
 export * from './types';
 //# sourceMappingURL=index.d.ts.map

package/out/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,cAAc,OAAO,CAAC;AACtB,cAAc,UAAU,CAAC;AACzB,cAAc,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,cAAc,OAAO,CAAC;AACtB,cAAc,SAAS,CAAC"}

package/out/index.js

@@ -2,5 +2,4 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const tslib_1 = require("tslib");
 tslib_1.__exportStar(require("./csp"), exports);
-tslib_1.__exportStar(require("./egress"), exports);
 tslib_1.__exportStar(require("./types"), exports);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@forge/csp",
-  "version": "0.0.0-experimental-c3d0263",
+  "version": "0.0.0-experimental-f85f9b1",
   "description": "Contains the CSP configuration for Custom UI resources in Forge",
   "main": "out/index.js",
   "author": "Atlassian",
@@ -11,13 +11,12 @@
     "clean": "rm -rf ./out && rm -f tsconfig.tsbuildinfo"
   },
   "devDependencies": {
-    "@forge/cli-shared": "^0.0.0-experimental-c3d0263",
-    "@forge/manifest": "^0.0.0-experimental-c3d0263",
-    "@types/jest": "^26.0.0"
+    "@forge/cli-shared": "0.0.0-experimental-f85f9b1",
+    "@forge/manifest": "0.0.0-experimental-f85f9b1",
+    "@types/jest": "^29.1.2"
   },
   "dependencies": {
     "cheerio": "^0.22.0",
-    "content-security-policy-parser": "^0.3.0",
-    "micromatch": "^4.0.2"
+    "content-security-policy-parser": "^0.3.0"
   }
 }

package/out/egress/egress-filtering-service.d.ts

@@ -1,11 +0,0 @@
-export declare class EgressFilteringService {
-    private readonly URLs;
-    private readonly wildcardDomains;
-    private readonly allowsEverything;
-    constructor(allowList: string[]);
-    private safeURL;
-    isValidUrl(url: string): boolean;
-    private domainCheck;
-    private domainIsAllowed;
-}
-//# sourceMappingURL=egress-filtering-service.d.ts.map

package/out/egress/egress-filtering-service.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"egress-filtering-service.d.ts","sourceRoot":"","sources":["../../src/egress/egress-filtering-service.ts"],"names":[],"mappings":"AAGA,qBAAa,sBAAsB;IACjC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAQ;IAC7B,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAQ;IACxC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAU;gBAE/B,SAAS,EAAE,MAAM,EAAE;IAY/B,OAAO,CAAC,OAAO;IAOR,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAQvC,OAAO,CAAC,WAAW;IAWnB,OAAO,CAAC,eAAe;CAWxB"}

package/out/egress/egress-filtering-service.js

@@ -1,46 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.EgressFilteringService = void 0;
-const tslib_1 = require("tslib");
-const micromatch_1 = tslib_1.__importDefault(require("micromatch"));
-const url_1 = require("url");
-class EgressFilteringService {
-    constructor(allowList) {
-        this.URLs = allowList
-            .filter((domainOrURL) => !domainOrURL.startsWith('*'))
-            .map((url) => this.safeURL(url));
-        this.wildcardDomains = allowList
-            .filter((domainOrURL) => domainOrURL !== '*')
-            .map((url) => this.safeURL(url))
-            .filter((url) => url.hostname.startsWith('*'));
-        this.allowsEverything = allowList.includes('*');
-    }
-    safeURL(url, defaultProtocol = 'https://') {
-        const protocolRegex = /^(.*:\/\/)/;
-        return new url_1.URL(protocolRegex.test(url) ? url : `${defaultProtocol}${url}`);
-    }
-    isValidUrl(url) {
-        if (this.allowsEverything) {
-            return true;
-        }
-        return this.domainIsAllowed(this.safeURL(url));
-    }
-    domainCheck(domain, allowList) {
-        const hostnameMatchedProtocol = allowList
-            .filter((allowed) => allowed.protocol === domain.protocol)
-            .map((url) => url.hostname);
-        return (micromatch_1.default([domain.hostname], hostnameMatchedProtocol, {
-            dot: true
-        }).length > 0);
-    }
-    domainIsAllowed(domain) {
-        if (this.domainCheck(domain, this.URLs)) {
-            return true;
-        }
-        if (this.domainCheck(domain, this.wildcardDomains)) {
-            return true;
-        }
-        return false;
-    }
-}
-exports.EgressFilteringService = EgressFilteringService;

package/out/egress/index.d.ts

@@ -1,3 +0,0 @@
-export * from './egress-filtering-service';
-export * from './utils';
-//# sourceMappingURL=index.d.ts.map

package/out/egress/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/egress/index.ts"],"names":[],"mappings":"AAEA,cAAc,4BAA4B,CAAC;AAC3C,cAAc,SAAS,CAAC"}

package/out/egress/index.js

@@ -1,5 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const tslib_1 = require("tslib");
-tslib_1.__exportStar(require("./egress-filtering-service"), exports);
-tslib_1.__exportStar(require("./utils"), exports);

package/out/egress/utils.d.ts

@@ -1,3 +0,0 @@
-declare const sortAndGroupEgressPermissionsByDomain: (egressAddresses: string[]) => Array<string>;
-export { sortAndGroupEgressPermissionsByDomain };
-//# sourceMappingURL=utils.d.ts.map

package/out/egress/utils.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/egress/utils.ts"],"names":[],"mappings":"AAGA,QAAA,MAAM,qCAAqC,oBAAqB,MAAM,EAAE,KAAG,KAAK,CAAC,MAAM,CA2BtF,CAAC;AAEF,OAAO,EAAE,qCAAqC,EAAE,CAAC"}

package/out/egress/utils.js

@@ -1,31 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.sortAndGroupEgressPermissionsByDomain = void 0;
-const tslib_1 = require("tslib");
-const micromatch_1 = tslib_1.__importDefault(require("micromatch"));
-const url_1 = require("url");
-const sortAndGroupEgressPermissionsByDomain = (egressAddresses) => {
-    const protocolRegex = /^(.*?:\/\/)/;
-    const domainSet = new Set();
-    const groupSet = new Set();
-    const removeSet = new Set();
-    if ((egressAddresses === null || egressAddresses === void 0 ? void 0 : egressAddresses.length) === 0) {
-        return [];
-    }
-    egressAddresses.forEach((item) => {
-        const itemWithProtocol = protocolRegex.test(item) ? item : `https://${item}`;
-        const url = new url_1.URL(itemWithProtocol);
-        if (url.hostname.startsWith('*')) {
-            groupSet.add(url.hostname.substring(2));
-            removeSet.add('!' + url.hostname);
-        }
-        else {
-            domainSet.add(url.hostname);
-        }
-    });
-    if (removeSet.size === 0) {
-        return [...domainSet];
-    }
-    return [...new Set(micromatch_1.default([...domainSet], [...removeSet]).concat([...groupSet]))].sort();
-};
-exports.sortAndGroupEgressPermissionsByDomain = sortAndGroupEgressPermissionsByDomain;