@forge/csp 4.1.0 → 4.2.0-experimental-a6c1d53

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # @forge/csp
 
+## 4.2.0-experimental-a6c1d53
+
+### Patch Changes
+
+- aebd633: Patch @forge/csp IC frame ancestors csp bug
+- abf0bb1: Add support for custom getICDomain option in CSPInjectionService
+
+## 4.2.0
+
+### Minor Changes
+
+- cfde21e: Add CSP Urls for IC environment
+
+## 4.2.0-next.0
+
+### Minor Changes
+
+- cfde21e: Add CSP Urls for IC environment
+
 ## 4.1.0
 
 ### Minor Changes

package/out/csp/csp-injection-service.d.ts

@@ -1,21 +1,31 @@
 import type { LambdaEnvironment } from '@forge/cli-shared';
 import { CSPDetails } from '../types';
-export declare const ATLASSIAN_IMAGES_HOSTS: {
-    [microsEnv in LambdaEnvironment]: string[];
+declare type StandardIcOptions = {
+    icLabel: string;
+    serviceName: string;
 };
+declare type GetICDomainIcOptions = {
+    serviceName?: string;
+    getICDomain: () => string;
+};
+declare type IcOptions = StandardIcOptions | GetICDomainIcOptions;
+export declare const getAtlassianImageHost: (microsEnv: LambdaEnvironment, icOptions?: IcOptions) => string[];
 export declare const EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS: string[];
 export declare class CSPInjectionService {
     private getCSPReportUri;
     private getForgeGlobalCSP;
+    private getMetalClientCSP;
     private getExistingCSPDetails;
     private getConnectSrc;
     private getFrameAncestors;
-    getInjectableCSP: ({ existingCSPDetails, microsEnv, tunnelCSPReporterUri, hostname, isFedRAMP }: {
+    getInjectableCSP: ({ existingCSPDetails, microsEnv, tunnelCSPReporterUri, hostname, isFedRAMP, icOptions }: {
         existingCSPDetails: CSPDetails;
         microsEnv: LambdaEnvironment;
         tunnelCSPReporterUri?: string | undefined;
         hostname?: string | undefined;
         isFedRAMP?: boolean | undefined;
+        icOptions?: IcOptions | undefined;
     }) => string[];
 }
+export {};
 //# sourceMappingURL=csp-injection-service.d.ts.map

package/out/csp/csp-injection-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"csp-injection-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-injection-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,UAAU,EAAmB,MAAM,UAAU,CAAC;AA2DvD,eAAO,MAAM,sBAAsB,EAAE;KAAG,SAAS,IAAI,iBAAiB,GAAG,MAAM,EAAE;CA8ChF,CAAC;AAMF,eAAO,MAAM,kCAAkC,UAAiE,CAAC;AAEjH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,iBAAiB;IAMzB,OAAO,CAAC,qBAAqB;IAI7B,OAAO,CAAC,aAAa;IAsBrB,OAAO,CAAC,iBAAiB;IAoClB,gBAAgB;4BAOD,UAAU;mBACnB,iBAAiB;;;;UAI1B,MAAM,EAAE,CA8DV;CACH"}
+{"version":3,"file":"csp-injection-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-injection-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,UAAU,EAAmB,MAAM,UAAU,CAAC;AAEvD,aAAK,iBAAiB,GAAG;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAIF,aAAK,oBAAoB,GAAG;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,MAAM,CAAC;CAC3B,CAAC;AAEF,aAAK,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC;AAyG1D,eAAO,MAAM,qBAAqB,cAAe,iBAAiB,cAAc,SAAS,KAAG,MAAM,EAUjG,CAAC;AAMF,eAAO,MAAM,kCAAkC,UAAiE,CAAC;AAEjH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,eAAe;IAQvB,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,qBAAqB;IAI7B,OAAO,CAAC,aAAa;IAqBrB,OAAO,CAAC,iBAAiB;IAiDlB,gBAAgB;4BAQD,UAAU;mBACnB,iBAAiB;;;;;UAK1B,MAAM,EAAE,CA8DV;CACH"}

package/out/csp/csp-injection-service.js

@@ -1,211 +1,233 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CSPInjectionService = exports.EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS = exports.ATLASSIAN_IMAGES_HOSTS = void 0;
+exports.CSPInjectionService = exports.EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS = exports.getAtlassianImageHost = void 0;
 const types_1 = require("../types");
-const ATLASSIAN_API_GATEWAY_HOST = {
-    dev: 'https://api.dev.atlassian.com',
-    stg: 'https://api.stg.atlassian.com',
-    prod: 'https://api.atlassian.com',
-    'fedramp-stg': 'https://api.stg.atlassian-us-gov-mod.com',
-    'fedramp-prod': 'https://api.atlassian-us-gov-mod.com'
-};
-const ATLASSIAN_MEDIA_GATEWAY_HOST = {
-    dev: 'https://media.dev.atl-paas.net',
-    stg: 'https://media.staging.atl-paas.net',
-    prod: 'https://api.media.atlassian.com',
-    'fedramp-stg': 'https://api-media.stg.atlassian-us-gov-mod.com',
-    'fedramp-prod': 'https://api-media.atlassian-us-gov-mod.com'
-};
-const ATLASSIAN_AVATAR_HOST = {
-    dev: 'avatar-management--avatars.us-west-2.staging.public.atl-paas.net',
-    stg: 'avatar-management--avatars.us-west-2.staging.public.atl-paas.net',
-    prod: 'avatar-management--avatars.us-west-2.prod.public.atl-paas.net',
-    'fedramp-stg': 'avatar-management--avatars.us-east-1.staging.cdn.atlassian-us-gov-mod.com',
-    'fedramp-prod': 'avatar-management--avatars.us-east-1.prod.cdn.atlassian-us-gov-mod.com'
+const isICEnvKey = (env) => env === 'ic-prod' || env === 'ic-stg';
+const makeICDomain = (env, icLabel) => `${icLabel}.${env === 'ic-prod' ? 'atlassian-isolated.net' : 'oasis-stg.com'}`;
+const getICDomain = (env, icOptions) => {
+    if ('getICDomain' in icOptions) {
+        return icOptions.getICDomain();
+    }
+    return makeICDomain(env, icOptions.icLabel);
 };
-const ATLASSIAN_TEAM_HEADER_HOST = {
-    dev: 'https://ptc-directory-sited-static.us-east-1.staging.public.atl-paas.net/gradients/',
-    stg: 'https://ptc-directory-sited-static.us-east-1.staging.public.atl-paas.net/gradients/',
-    prod: 'https://ptc-directory-sited-static.us-east-1.prod.public.atl-paas.net/gradients/',
-    'fedramp-stg': 'https://teams-directory-frontend.frontend.cdn.atlassian-us-gov-mod.com/assets/',
-    'fedramp-prod': 'https://teams-directory-frontend.frontend.cdn.atlassian-us-gov-mod.com/assets/'
+const makeICHosts = (targetHostFunction) => {
+    return {
+        'ic-stg': (icOptions) => targetHostFunction('ic-stg', icOptions),
+        'ic-prod': (icOptions) => targetHostFunction('ic-prod', icOptions)
+    };
 };
-const ATLASSIAN_TEAM_AVATAR_HOST = {
-    dev: 'https://teams-directory-frontend.stg-east.frontend.public.atl-paas.net/assets/',
-    stg: 'https://teams-directory-frontend.stg-east.frontend.public.atl-paas.net/assets/',
-    prod: 'https://teams-directory-frontend.prod-east.frontend.public.atl-paas.net/assets/',
-    'fedramp-stg': 'https://teams-directory-frontend.frontend.cdn.atlassian-us-gov-mod.com/assets/',
-    'fedramp-prod': 'https://teams-directory-frontend.frontend.cdn.atlassian-us-gov-mod.com/assets/'
+const ATLASSIAN_HOST = {
+    ATLASSIAN_API_GATEWAY_HOST: {
+        dev: 'https://api.dev.atlassian.com',
+        stg: 'https://api.stg.atlassian.com',
+        prod: 'https://api.atlassian.com',
+        'fedramp-stg': 'https://api.stg.atlassian-us-gov-mod.com',
+        'fedramp-prod': 'https://api.atlassian-us-gov-mod.com',
+        ...makeICHosts((env, icOptions) => `https://api.${getICDomain(env, icOptions)}`)
+    },
+    ATLASSIAN_MEDIA_GATEWAY_HOST: {
+        dev: 'https://media.dev.atl-paas.net',
+        stg: 'https://media.staging.atl-paas.net',
+        prod: 'https://api.media.atlassian.com',
+        'fedramp-stg': 'https://api-media.stg.atlassian-us-gov-mod.com',
+        'fedramp-prod': 'https://api-media.atlassian-us-gov-mod.com',
+        ...makeICHosts((env, icOptions) => `https://media-api.${getICDomain(env, icOptions)}`)
+    },
+    ATLASSIAN_AVATAR_HOST: {
+        dev: 'avatar-management--avatars.us-west-2.staging.public.atl-paas.net',
+        stg: 'avatar-management--avatars.us-west-2.staging.public.atl-paas.net',
+        prod: 'avatar-management--avatars.us-west-2.prod.public.atl-paas.net',
+        'fedramp-stg': 'avatar-management--avatars.us-east-1.staging.cdn.atlassian-us-gov-mod.com',
+        'fedramp-prod': 'avatar-management--avatars.us-east-1.prod.cdn.atlassian-us-gov-mod.com',
+        'ic-stg': (_icOptions) => 'avatar-management--avatars.us-west-2.staging.public.atl-paas.net',
+        'ic-prod': (_icOptions) => 'avatar-management--avatars.us-west-2.prod.public.atl-paas.net'
+    },
+    ATLASSIAN_TEAM_HEADER_HOST: {
+        dev: 'https://ptc-directory-sited-static.us-east-1.staging.public.atl-paas.net/gradients/',
+        stg: 'https://ptc-directory-sited-static.us-east-1.staging.public.atl-paas.net/gradients/',
+        prod: 'https://ptc-directory-sited-static.us-east-1.prod.public.atl-paas.net/gradients/',
+        'fedramp-stg': 'https://teams-directory-frontend.frontend.cdn.atlassian-us-gov-mod.com/assets/',
+        'fedramp-prod': 'https://teams-directory-frontend.frontend.cdn.atlassian-us-gov-mod.com/assets/',
+        ...makeICHosts((env, icOptions) => `https://teams-directory-frontend.services.${getICDomain(env, icOptions)}/bfa/`)
+    },
+    ATLASSIAN_TEAM_AVATAR_HOST: {
+        dev: 'https://teams-directory-frontend.stg-east.frontend.public.atl-paas.net/assets/',
+        stg: 'https://teams-directory-frontend.stg-east.frontend.public.atl-paas.net/assets/',
+        prod: 'https://teams-directory-frontend.prod-east.frontend.public.atl-paas.net/assets/',
+        'fedramp-stg': 'https://teams-directory-frontend.frontend.cdn.atlassian-us-gov-mod.com/assets/',
+        'fedramp-prod': 'https://teams-directory-frontend.frontend.cdn.atlassian-us-gov-mod.com/assets/',
+        ...makeICHosts((env, icOptions) => `https://teams-directory-frontend.services.${getICDomain(env, icOptions)}/bfa/`)
+    },
+    ATLASSIAN_EMOJIS_HOST: {
+        dev: 'https://pf-emoji-service--cdn.ap-southeast-2.dev.public.atl-paas.net',
+        stg: 'https://pf-emoji-service--cdn.us-east-1.staging.public.atl-paas.net',
+        prod: 'https://pf-emoji-service--cdn.us-east-1.prod.public.atl-paas.net',
+        'fedramp-stg': 'https://pf-emoji-service--cdn.us-east-1.staging.cdn.atlassian-us-gov-mod.com',
+        'fedramp-prod': 'https://pf-emoji-service--cdn.us-east-1.prod.cdn.atlassian-us-gov-mod.com',
+        ...makeICHosts((env, icOptions) => `https://pf-emoji-service.${getICDomain(env, icOptions)}`)
+    }
 };
-const ATLASSIAN_EMOJIS_HOST = {
-    dev: 'https://pf-emoji-service--cdn.ap-southeast-2.dev.public.atl-paas.net',
-    stg: 'https://pf-emoji-service--cdn.us-east-1.staging.public.atl-paas.net',
-    prod: 'https://pf-emoji-service--cdn.us-east-1.prod.public.atl-paas.net',
-    'fedramp-stg': 'https://pf-emoji-service--cdn.us-east-1.staging.cdn.atlassian-us-gov-mod.com',
-    'fedramp-prod': 'https://pf-emoji-service--cdn.us-east-1.prod.cdn.atlassian-us-gov-mod.com'
+const getAtlassianHost = (hostType, microsEnv, icOptions) => {
+    const hostMap = ATLASSIAN_HOST[hostType];
+    if (isICEnvKey(microsEnv)) {
+        if (!icOptions) {
+            throw new Error('Missing IC label');
+        }
+        return hostMap[microsEnv](icOptions);
+    }
+    return hostMap[microsEnv];
 };
-exports.ATLASSIAN_IMAGES_HOSTS = {
-    dev: [
-        `https://${ATLASSIAN_AVATAR_HOST['dev']}`,
-        `https://*.wp.com/${ATLASSIAN_AVATAR_HOST['dev']}/`,
-        ATLASSIAN_API_GATEWAY_HOST['dev'],
-        ATLASSIAN_MEDIA_GATEWAY_HOST['dev'],
-        ATLASSIAN_EMOJIS_HOST['dev'],
-        ATLASSIAN_TEAM_AVATAR_HOST['dev'],
-        ATLASSIAN_TEAM_HEADER_HOST['dev']
-    ],
-    stg: [
-        `https://${ATLASSIAN_AVATAR_HOST['stg']}`,
-        `https://*.wp.com/${ATLASSIAN_AVATAR_HOST['stg']}/`,
-        ATLASSIAN_API_GATEWAY_HOST['stg'],
-        ATLASSIAN_MEDIA_GATEWAY_HOST['stg'],
-        ATLASSIAN_EMOJIS_HOST['stg'],
-        ATLASSIAN_TEAM_AVATAR_HOST['stg'],
-        ATLASSIAN_TEAM_HEADER_HOST['stg']
-    ],
-    prod: [
-        `https://${ATLASSIAN_AVATAR_HOST['prod']}`,
-        `https://*.wp.com/${ATLASSIAN_AVATAR_HOST['prod']}/`,
-        ATLASSIAN_API_GATEWAY_HOST['prod'],
-        ATLASSIAN_MEDIA_GATEWAY_HOST['prod'],
-        ATLASSIAN_EMOJIS_HOST['prod'],
-        ATLASSIAN_TEAM_AVATAR_HOST['prod'],
-        ATLASSIAN_TEAM_HEADER_HOST['prod']
-    ],
-    'fedramp-stg': [
-        `https://${ATLASSIAN_AVATAR_HOST['fedramp-stg']}`,
-        `https://*.wp.com/${ATLASSIAN_AVATAR_HOST['fedramp-stg']}/`,
-        ATLASSIAN_API_GATEWAY_HOST['fedramp-stg'],
-        ATLASSIAN_MEDIA_GATEWAY_HOST['fedramp-stg'],
-        ATLASSIAN_EMOJIS_HOST['fedramp-stg'],
-        ATLASSIAN_TEAM_AVATAR_HOST['fedramp-stg'],
-        ATLASSIAN_TEAM_HEADER_HOST['fedramp-stg']
-    ],
-    'fedramp-prod': [
-        `https://${ATLASSIAN_AVATAR_HOST['fedramp-prod']}`,
-        `https://*.wp.com/${ATLASSIAN_AVATAR_HOST['fedramp-prod']}/`,
-        ATLASSIAN_API_GATEWAY_HOST['fedramp-prod'],
-        ATLASSIAN_MEDIA_GATEWAY_HOST['fedramp-prod'],
-        ATLASSIAN_EMOJIS_HOST['fedramp-prod'],
-        ATLASSIAN_TEAM_AVATAR_HOST['fedramp-prod'],
-        ATLASSIAN_TEAM_HEADER_HOST['fedramp-prod']
-    ]
+const getAtlassianImageHost = (microsEnv, icOptions) => {
+    return [
+        `https://${getAtlassianHost('ATLASSIAN_AVATAR_HOST', microsEnv, icOptions)}`,
+        `https://*.wp.com/${getAtlassianHost('ATLASSIAN_AVATAR_HOST', microsEnv, icOptions)}/`,
+        getAtlassianHost('ATLASSIAN_API_GATEWAY_HOST', microsEnv, icOptions),
+        getAtlassianHost('ATLASSIAN_MEDIA_GATEWAY_HOST', microsEnv, icOptions),
+        getAtlassianHost('ATLASSIAN_EMOJIS_HOST', microsEnv, icOptions),
+        getAtlassianHost('ATLASSIAN_TEAM_AVATAR_HOST', microsEnv, icOptions),
+        getAtlassianHost('ATLASSIAN_TEAM_HEADER_HOST', microsEnv, icOptions)
+    ];
 };
+exports.getAtlassianImageHost = getAtlassianImageHost;
 exports.EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS = ['https://secure.gravatar.com', 'https://images.unsplash.com'];
 class CSPInjectionService {
-    getCSPReportUri(microsEnv) {
+    constructor() {
+        this.getInjectableCSP = ({ existingCSPDetails, microsEnv, tunnelCSPReporterUri, hostname, isFedRAMP, icOptions }) => {
+            const reportUri = tunnelCSPReporterUri || this.getCSPReportUri(microsEnv, icOptions);
+            const defaultSrc = `'self'`;
+            const frameAncestors = ["'self'", ...this.getFrameAncestors(microsEnv, hostname, icOptions)].join(' ');
+            const frameSrc = ["'self'", hostname, ...this.getExistingCSPDetails(types_1.ExternalCspType.FRAME_SRC, existingCSPDetails)]
+                .filter((a) => a)
+                .join(' ');
+            const fontSrc = ["'self'", ...this.getExistingCSPDetails(types_1.ExternalCspType.FONT_SRC, existingCSPDetails)].join(' ');
+            const imgSrc = [
+                "'self'",
+                'data:',
+                'blob:',
+                hostname,
+                ...exports.EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS,
+                ...(0, exports.getAtlassianImageHost)(microsEnv, icOptions),
+                ...this.getExistingCSPDetails(types_1.ExternalCspType.IMG_SRC, existingCSPDetails)
+            ]
+                .filter((a) => a)
+                .join(' ');
+            const mediaSrc = [
+                "'self'",
+                'data:',
+                'blob:',
+                hostname,
+                getAtlassianHost('ATLASSIAN_MEDIA_GATEWAY_HOST', microsEnv, icOptions),
+                ...this.getExistingCSPDetails(types_1.ExternalCspType.MEDIA_SRC, existingCSPDetails)
+            ]
+                .filter((a) => a)
+                .join(' ');
+            const connectSrc = [
+                "'self'",
+                ...this.getConnectSrc(microsEnv, !!tunnelCSPReporterUri, icOptions),
+                ...this.getExistingCSPDetails(types_1.ExternalCspType.CONNECT_SRC, existingCSPDetails)
+            ].join(' ');
+            const scriptSrc = [
+                "'self'",
+                this.getForgeGlobalCSP(microsEnv, isFedRAMP, icOptions),
+                ...this.getExistingCSPDetails(types_1.ExternalCspType.SCRIPT_SRC, existingCSPDetails)
+            ].join(' ');
+            const styleSrc = [
+                "'self'",
+                this.getForgeGlobalCSP(microsEnv, isFedRAMP, icOptions),
+                ...this.getExistingCSPDetails(types_1.ExternalCspType.STYLE_SRC, existingCSPDetails)
+            ].join(' ');
+            return [
+                `default-src ${defaultSrc}`,
+                `frame-ancestors ${frameAncestors}`,
+                `frame-src ${frameSrc}`,
+                `font-src ${fontSrc}`,
+                `img-src ${imgSrc}`,
+                `media-src ${mediaSrc}`,
+                `connect-src ${connectSrc}`,
+                `script-src ${scriptSrc}`,
+                `style-src ${styleSrc}`,
+                `form-action 'self'`,
+                `sandbox allow-downloads allow-forms allow-modals allow-pointer-lock allow-same-origin allow-scripts`,
+                `report-uri ${reportUri}`
+            ];
+        };
+    }
+    getCSPReportUri(microsEnv, icOptions) {
+        const serviceName = isICEnvKey(microsEnv) && icOptions ? icOptions.serviceName : 'forge-cdn';
         if (microsEnv === 'dev' || microsEnv === 'stg')
-            return 'https://web-security-reports.stg.services.atlassian.com/csp-report/forge-cdn';
-        return 'https://web-security-reports.services.atlassian.com/csp-report/forge-cdn';
+            return `https://web-security-reports.stg.services.atlassian.com/csp-report/${serviceName}`;
+        return `https://web-security-reports.services.atlassian.com/csp-report/${serviceName}`;
     }
-    getForgeGlobalCSP(microsEnv, isFedRAMP = false) {
+    getForgeGlobalCSP(microsEnv, isFedRAMP = false, icOptions) {
+        if (isICEnvKey(microsEnv) && icOptions) {
+            return `https://forge.forge-cdn.${getICDomain(microsEnv, icOptions)}`;
+        }
         return isFedRAMP
             ? `https://forge.cdn.${microsEnv.split('-')[1]}.atlassian-dev-us-gov-mod.net`
             : `https://forge.cdn.${microsEnv}.atlassian-dev.net`;
     }
+    getMetalClientCSP(microsEnv, icOptions) {
+        if (isICEnvKey(microsEnv) && icOptions) {
+            return `https://api.${getICDomain(microsEnv, icOptions)}/metal/ingest`;
+        }
+        return `https://api.${microsEnv === 'prod' ? '' : 'stg.'}atlassian.com/metal/ingest`;
+    }
     getExistingCSPDetails(cspType, cspDetails) {
-        return cspDetails[cspType] ?? [];
+        var _a;
+        return (_a = cspDetails[cspType]) !== null && _a !== void 0 ? _a : [];
     }
-    getConnectSrc(microsEnv, isTunnelling) {
+    getConnectSrc(microsEnv, isTunnelling, icOptions) {
         const allowed = [];
         if (isTunnelling) {
             allowed.push(...['ws://localhost:*', 'http://localhost:*']);
         }
-        allowed.push(`https://api.${microsEnv === 'prod' ? '' : 'stg.'}atlassian.com/metal/ingest`);
-        allowed.push(`${ATLASSIAN_API_GATEWAY_HOST[microsEnv]}/gateway/api/emoji/`);
-        allowed.push(ATLASSIAN_MEDIA_GATEWAY_HOST[microsEnv]);
+        const metalClientCSP = this.getMetalClientCSP(microsEnv, icOptions);
+        allowed.push(metalClientCSP);
+        allowed.push(`${getAtlassianHost('ATLASSIAN_API_GATEWAY_HOST', microsEnv, icOptions)}/gateway/api/emoji/`);
+        allowed.push(getAtlassianHost('ATLASSIAN_MEDIA_GATEWAY_HOST', microsEnv, icOptions));
         return allowed;
     }
-    getFrameAncestors(microsEnv, hostname) {
+    getFrameAncestors(microsEnv, hostname, icOptions) {
         let frameAncestors = [];
-        if (microsEnv === 'dev' || microsEnv === 'stg') {
-            frameAncestors = [
-                '*.jira-dev.com',
-                'http://localhost:*',
-                'http://devbucket.localhost',
-                'https://integration.bb-inf.net',
-                '*.atl-paas.net',
-                '*.stg.atlassian.com'
-            ];
-        }
-        else if (microsEnv === 'fedramp-stg') {
-            frameAncestors = ['*.atlassian-stg-fedm.net'];
-        }
-        else if (microsEnv === 'fedramp-prod') {
-            frameAncestors = ['*.atlassian-us-gov-mod.net'];
-        }
-        else {
-            frameAncestors = [
-                '*.atlassian.net',
-                'bitbucket.org',
-                '*.jira.com',
-                '*.atlassian.com',
-                '*.frontend.public.atl-paas.net'
-            ];
+        switch (microsEnv) {
+            case 'dev':
+            case 'stg':
+                frameAncestors = [
+                    '*.jira-dev.com',
+                    'http://localhost:*',
+                    'http://devbucket.localhost',
+                    'https://integration.bb-inf.net',
+                    '*.atl-paas.net',
+                    '*.stg.atlassian.com'
+                ];
+                break;
+            case 'fedramp-stg':
+                frameAncestors = ['*.atlassian-stg-fedm.net'];
+                break;
+            case 'fedramp-prod':
+                frameAncestors = ['*.atlassian-us-gov-mod.net'];
+                break;
+            case 'ic-stg':
+            case 'ic-prod':
+                if (icOptions) {
+                    frameAncestors = [`*.${getICDomain(microsEnv, icOptions)}`];
+                }
+                break;
+            case 'prod':
+            default:
+                frameAncestors = [
+                    '*.atlassian.net',
+                    'bitbucket.org',
+                    '*.jira.com',
+                    '*.atlassian.com',
+                    '*.frontend.public.atl-paas.net'
+                ];
+                break;
         }
         if (hostname) {
             frameAncestors.push(hostname);
         }
         return frameAncestors;
     }
-    getInjectableCSP = ({ existingCSPDetails, microsEnv, tunnelCSPReporterUri, hostname, isFedRAMP }) => {
-        const reportUri = tunnelCSPReporterUri || this.getCSPReportUri(microsEnv);
-        const defaultSrc = `'self'`;
-        const frameAncestors = ["'self'", ...this.getFrameAncestors(microsEnv, hostname)].join(' ');
-        const frameSrc = ["'self'", hostname, ...this.getExistingCSPDetails(types_1.ExternalCspType.FRAME_SRC, existingCSPDetails)]
-            .filter((a) => a)
-            .join(' ');
-        const fontSrc = ["'self'", ...this.getExistingCSPDetails(types_1.ExternalCspType.FONT_SRC, existingCSPDetails)].join(' ');
-        const imgSrc = [
-            "'self'",
-            'data:',
-            'blob:',
-            hostname,
-            ...exports.EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS,
-            ...exports.ATLASSIAN_IMAGES_HOSTS[microsEnv],
-            ...this.getExistingCSPDetails(types_1.ExternalCspType.IMG_SRC, existingCSPDetails)
-        ]
-            .filter((a) => a)
-            .join(' ');
-        const mediaSrc = [
-            "'self'",
-            'data:',
-            'blob:',
-            hostname,
-            ATLASSIAN_MEDIA_GATEWAY_HOST[microsEnv],
-            ...this.getExistingCSPDetails(types_1.ExternalCspType.MEDIA_SRC, existingCSPDetails)
-        ]
-            .filter((a) => a)
-            .join(' ');
-        const connectSrc = [
-            "'self'",
-            ...this.getConnectSrc(microsEnv, !!tunnelCSPReporterUri),
-            ...this.getExistingCSPDetails(types_1.ExternalCspType.CONNECT_SRC, existingCSPDetails)
-        ].join(' ');
-        const scriptSrc = [
-            "'self'",
-            this.getForgeGlobalCSP(microsEnv, isFedRAMP),
-            ...this.getExistingCSPDetails(types_1.ExternalCspType.SCRIPT_SRC, existingCSPDetails)
-        ].join(' ');
-        const styleSrc = [
-            "'self'",
-            this.getForgeGlobalCSP(microsEnv, isFedRAMP),
-            ...this.getExistingCSPDetails(types_1.ExternalCspType.STYLE_SRC, existingCSPDetails)
-        ].join(' ');
-        return [
-            `default-src ${defaultSrc}`,
-            `frame-ancestors ${frameAncestors}`,
-            `frame-src ${frameSrc}`,
-            `font-src ${fontSrc}`,
-            `img-src ${imgSrc}`,
-            `media-src ${mediaSrc}`,
-            `connect-src ${connectSrc}`,
-            `script-src ${scriptSrc}`,
-            `style-src ${styleSrc}`,
-            `form-action 'self'`,
-            `sandbox allow-downloads allow-forms allow-modals allow-pointer-lock allow-same-origin allow-scripts`,
-            `report-uri ${reportUri}`
-        ];
-    };
 }
 exports.CSPInjectionService = CSPInjectionService;

package/out/csp/csp-processing-service.js

@@ -12,22 +12,22 @@ class InvalidConnectSrc extends Error {
 }
 exports.InvalidConnectSrc = InvalidConnectSrc;
 class CSPProcessingService {
-    logger;
-    STYLE_SRC_ALLOWLIST = [`'unsafe-inline'`];
-    QUOTED_SCRIPT_SRC_ALLOWLIST = ['unsafe-inline', 'unsafe-eval', 'unsafe-hashes'];
-    UNQUOTED_SCRIPT_SRC_ALLOWLIST = ['blob:'];
-    SCRIPT_SRC_ALLOWLIST = [...this.QUOTED_SCRIPT_SRC_ALLOWLIST, ...this.UNQUOTED_SCRIPT_SRC_ALLOWLIST];
-    BASE_64_HASH_PATTERNS = [
-        /^sha256-[a-zA-Z0-9=+/]{44}$/,
-        /^sha384-[a-zA-Z0-9=+/]{64}$/,
-        /^sha512-[a-zA-Z0-9=+/]{88}$/
-    ];
     constructor(logger) {
         this.logger = logger;
+        this.STYLE_SRC_ALLOWLIST = [`'unsafe-inline'`];
+        this.QUOTED_SCRIPT_SRC_ALLOWLIST = ['unsafe-inline', 'unsafe-eval', 'unsafe-hashes'];
+        this.UNQUOTED_SCRIPT_SRC_ALLOWLIST = ['blob:'];
+        this.SCRIPT_SRC_ALLOWLIST = [...this.QUOTED_SCRIPT_SRC_ALLOWLIST, ...this.UNQUOTED_SCRIPT_SRC_ALLOWLIST];
+        this.BASE_64_HASH_PATTERNS = [
+            /^sha256-[a-zA-Z0-9=+/]{44}$/,
+            /^sha384-[a-zA-Z0-9=+/]{64}$/,
+            /^sha512-[a-zA-Z0-9=+/]{88}$/
+        ];
     }
     getCspDetails(body, permissions) {
-        const { scripts, styles } = permissions?.content ?? { scripts: [], styles: [] };
-        const external = permissions?.external ?? {};
+        var _a, _b;
+        const { scripts, styles } = (_a = permissions === null || permissions === void 0 ? void 0 : permissions.content) !== null && _a !== void 0 ? _a : { scripts: [], styles: [] };
+        const external = (_b = permissions === null || permissions === void 0 ? void 0 : permissions.external) !== null && _b !== void 0 ? _b : {};
         const $ = (0, cheerio_1.load)(body, { xml: { xmlMode: false } });
         const { 'script-src': scriptSrc, 'style-src': styleSrc, ...mappedExternalCsp } = this.mapExternalPermissionsToCsp(external);
         return {
@@ -37,14 +37,15 @@ class CSPProcessingService {
         };
     }
     getInvalidCspPermissions(contentPermissions) {
+        var _a, _b;
         const { styles, scripts } = contentPermissions;
-        const invalidStyles = styles?.filter((styleSrc) => !this.isValidUserStyleSrc(`'${styleSrc}'`)) ?? [];
-        const invalidScripts = scripts?.filter((scriptSrc) => !this.isValidUserScriptSrc(scriptSrc)) ?? [];
+        const invalidStyles = (_a = styles === null || styles === void 0 ? void 0 : styles.filter((styleSrc) => !this.isValidUserStyleSrc(`'${styleSrc}'`))) !== null && _a !== void 0 ? _a : [];
+        const invalidScripts = (_b = scripts === null || scripts === void 0 ? void 0 : scripts.filter((scriptSrc) => !this.isValidUserScriptSrc(scriptSrc))) !== null && _b !== void 0 ? _b : [];
         return [...invalidStyles, ...invalidScripts];
     }
     assertValidFetchClient(fetch) {
-        if (fetch?.client) {
-            for (const client of fetch?.client) {
+        if (fetch === null || fetch === void 0 ? void 0 : fetch.client) {
+            for (const client of fetch === null || fetch === void 0 ? void 0 : fetch.client) {
                 if (typeof client !== 'string') {
                     throw new InvalidConnectSrc();
                 }
@@ -52,42 +53,46 @@ class CSPProcessingService {
         }
     }
     egressesToStringMap(externalPermissions) {
-        return externalPermissions?.map((egress) => (typeof egress === 'object' ? egress.address : egress));
+        return externalPermissions === null || externalPermissions === void 0 ? void 0 : externalPermissions.map((egress) => (typeof egress === 'object' ? egress.address : egress));
     }
     mapExternalPermissionsToCsp(externalPermissions) {
+        var _a, _b, _c, _d, _e, _f, _g;
         const { images, media, scripts, fetch, styles, fonts, frames } = externalPermissions;
         this.assertValidFetchClient(fetch);
         return {
-            'img-src': this.egressesToStringMap(images) ?? [],
-            'media-src': this.egressesToStringMap(media) ?? [],
-            'script-src': this.egressesToStringMap(scripts) ?? [],
-            'style-src': this.egressesToStringMap(styles) ?? [],
-            'connect-src': fetch?.client ?? [],
-            'font-src': this.egressesToStringMap(fonts) ?? [],
-            'frame-src': this.egressesToStringMap(frames) ?? []
+            'img-src': (_a = this.egressesToStringMap(images)) !== null && _a !== void 0 ? _a : [],
+            'media-src': (_b = this.egressesToStringMap(media)) !== null && _b !== void 0 ? _b : [],
+            'script-src': (_c = this.egressesToStringMap(scripts)) !== null && _c !== void 0 ? _c : [],
+            'style-src': (_d = this.egressesToStringMap(styles)) !== null && _d !== void 0 ? _d : [],
+            'connect-src': (_e = fetch === null || fetch === void 0 ? void 0 : fetch.client) !== null && _e !== void 0 ? _e : [],
+            'font-src': (_f = this.egressesToStringMap(fonts)) !== null && _f !== void 0 ? _f : [],
+            'frame-src': (_g = this.egressesToStringMap(frames)) !== null && _g !== void 0 ? _g : []
         };
     }
     getStyleSrc($, userStyleSrc) {
-        const quotedUserStyleSrc = userStyleSrc?.map((x) => `'${x}'`) ?? [];
-        const deprecatedUserStyleSrc = this.getDeprecatedUserCsp($)['style-src'] ?? [];
+        var _a, _b;
+        const quotedUserStyleSrc = (_a = userStyleSrc === null || userStyleSrc === void 0 ? void 0 : userStyleSrc.map((x) => `'${x}'`)) !== null && _a !== void 0 ? _a : [];
+        const deprecatedUserStyleSrc = (_b = this.getDeprecatedUserCsp($)['style-src']) !== null && _b !== void 0 ? _b : [];
         const uniqueStyleSrc = [...new Set([...deprecatedUserStyleSrc, ...quotedUserStyleSrc])];
         return uniqueStyleSrc.filter((x) => this.isValidUserStyleSrc(x));
     }
     getScriptSrc($, userScriptSrc) {
-        const validUserScriptSrc = userScriptSrc?.filter((x) => this.isValidUserScriptSrc(x)) ?? [];
+        var _a;
+        const validUserScriptSrc = (_a = userScriptSrc === null || userScriptSrc === void 0 ? void 0 : userScriptSrc.filter((x) => this.isValidUserScriptSrc(x))) !== null && _a !== void 0 ? _a : [];
         const generatedScriptHashes = validUserScriptSrc.includes('unsafe-inline') ? [] : this.getInlineScriptHashes($);
         const { scriptSrc, userScriptHashes } = this.extractUniqueHashes(validUserScriptSrc, generatedScriptHashes);
         return [...scriptSrc, ...generatedScriptHashes, ...userScriptHashes].map((x) => this.formatScriptSrc(x));
     }
     extractUniqueHashes(userScriptSrc, existingScriptHashes) {
+        var _a;
         const userScriptHashes = [];
-        const scriptSrc = userScriptSrc?.filter((scriptSrc) => {
+        const scriptSrc = (_a = userScriptSrc === null || userScriptSrc === void 0 ? void 0 : userScriptSrc.filter((scriptSrc) => {
             const isValidHash = this.isValidHash(scriptSrc);
             if (isValidHash && !existingScriptHashes.includes(scriptSrc)) {
                 userScriptHashes.push(scriptSrc);
             }
             return !isValidHash;
-        }) ?? [];
+        })) !== null && _a !== void 0 ? _a : [];
         return { scriptSrc, userScriptHashes };
     }
     getInlineScriptHashes($) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@forge/csp",
-  "version": "4.1.0",
+  "version": "4.2.0-experimental-a6c1d53",
   "description": "Contains the CSP configuration for Custom UI resources in Forge",
   "main": "out/index.js",
   "author": "Atlassian",
@@ -11,8 +11,8 @@
     "clean": "rm -rf ./out && rm -f tsconfig.tsbuildinfo"
   },
   "devDependencies": {
-    "@forge/cli-shared": "8.1.0",
-    "@forge/manifest": "10.1.0",
+    "@forge/cli-shared": "8.2.0",
+    "@forge/manifest": "10.2.0",
     "@types/jest": "^29.5.14",
     "@types/node": "20.19.1"
   },