@forge/csp 5.4.0 → 5.5.0-next.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/CHANGELOG.md +12 -0
  2. package/out/csp/csp-injection-service.d.ts +2 -2
  3. package/out/csp/csp-injection-service.d.ts.map +1 -1
  4. package/out/csp/csp-injection-service.js +22 -7
  5. package/package.json +3 -3
package/CHANGELOG.md CHANGED
@@ -1,5 +1,17 @@
1
1
  # @forge/csp
2
2
 
3
+ ## 5.5.0-next.1
4
+
5
+ ### Patch Changes
6
+
7
+ - ddc6274: Add localhost to frameAncestors in prod when passed in appContext
8
+
9
+ ## 5.5.0-next.0
10
+
11
+ ### Minor Changes
12
+
13
+ - cd25766: Add gasv3 analytics domains
14
+
3
15
  ## 5.4.0
4
16
 
5
17
  ### Minor Changes
package/out/csp/csp-injection-service.d.ts CHANGED
@@ -18,14 +18,14 @@ export declare class CSPInjectionService {
18
18
  private getExistingCSPDetails;
19
19
  private getConnectSrc;
20
20
  private getFrameAncestors;
21
- getInjectableCSP: ({ existingCSPDetails, microsEnv, tunnelCSPReporterUri, hostname, isFedRAMP, icOptions, macroParentHostDomain }: {
21
+ getInjectableCSP: ({ existingCSPDetails, microsEnv, tunnelCSPReporterUri, hostname, isFedRAMP, icOptions, macroParentHost }: {
22
22
  existingCSPDetails: CSPDetails;
23
23
  microsEnv: LambdaEnvironment;
24
24
  tunnelCSPReporterUri?: string | undefined;
25
25
  hostname?: string | undefined;
26
26
  isFedRAMP?: boolean | undefined;
27
27
  icOptions?: IcOptions | undefined;
28
- macroParentHostDomain?: string | undefined;
28
+ macroParentHost?: string | undefined;
29
29
  }) => string[];
30
30
  }
31
31
  export {};
package/out/csp/csp-injection-service.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"csp-injection-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-injection-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,UAAU,EAAmB,MAAM,UAAU,CAAC;AAEvD,aAAK,iBAAiB,GAAG;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAIF,aAAK,oBAAoB,GAAG;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,MAAM,CAAC;CAC3B,CAAC;AAEF,aAAK,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC;AA8I1D,eAAO,MAAM,qBAAqB,cAAe,iBAAiB,cAAc,SAAS,KAAG,MAAM,EAWjG,CAAC;AAMF,eAAO,MAAM,kCAAkC,UAAiE,CAAC;AAEjH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,eAAe;IAQvB,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,qBAAqB;IAI7B,OAAO,CAAC,aAAa;IA+BrB,OAAO,CAAC,iBAAiB;IA4DlB,gBAAgB;4BASD,UAAU;mBACnB,iBAAiB;;;;;;UAM1B,MAAM,EAAE,CAoFV;CACH"}
1
+ {"version":3,"file":"csp-injection-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-injection-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,UAAU,EAAmB,MAAM,UAAU,CAAC;AAEvD,aAAK,iBAAiB,GAAG;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAIF,aAAK,oBAAoB,GAAG;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,MAAM,CAAC;CAC3B,CAAC;AAEF,aAAK,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC;AAsJ1D,eAAO,MAAM,qBAAqB,cAAe,iBAAiB,cAAc,SAAS,KAAG,MAAM,EAWjG,CAAC;AAMF,eAAO,MAAM,kCAAkC,UAAiE,CAAC;AAEjH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,eAAe;IAQvB,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,qBAAqB;IAI7B,OAAO,CAAC,aAAa;IAkCrB,OAAO,CAAC,iBAAiB;IAkElB,gBAAgB;4BASD,UAAU;mBACnB,iBAAiB;;;;;;UAM1B,MAAM,EAAE,CAoFV;CACH"}
package/out/csp/csp-injection-service.js CHANGED
@@ -33,6 +33,14 @@ const ATLASSIAN_HOST = {
33
33
  'fedramp-prod': 'https://api-media.atlassian-us-gov-mod.com',
34
34
  ...makeICHosts((env, icOptions) => `https://media-api.${getICDomain(env, icOptions)}`)
35
35
  },
36
+ ATLASSIAN_ANALYTICS_GATEWAY_HOST: {
37
+ dev: 'https://as-internal.dev.atl-paas.net',
38
+ stg: 'https://as-internal.stg.atl-paas.net',
39
+ prod: 'https://as-internal.prod.atl-paas.net',
40
+ 'fedramp-stg': 'https://as-internal.stg.atlassian-us-gov-mod.com',
41
+ 'fedramp-prod': 'https://as-internal.atlassian-us-gov-mod.com',
42
+ ...makeICHosts((env, icOptions) => `https://as-internal.${getICDomain(env, icOptions)}`)
43
+ },
36
44
  ATLASSIAN_AVATAR_HOST: {
37
45
  dev: 'avatar-management--avatars.us-west-2.staging.public.atl-paas.net',
38
46
  stg: 'avatar-management--avatars.us-west-2.staging.public.atl-paas.net',
@@ -121,12 +129,12 @@ exports.getAtlassianImageHost = getAtlassianImageHost;
121
129
  exports.EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS = ['https://secure.gravatar.com', 'https://images.unsplash.com'];
122
130
  class CSPInjectionService {
123
131
  constructor() {
124
- this.getInjectableCSP = ({ existingCSPDetails, microsEnv, tunnelCSPReporterUri, hostname, isFedRAMP, icOptions, macroParentHostDomain }) => {
132
+ this.getInjectableCSP = ({ existingCSPDetails, microsEnv, tunnelCSPReporterUri, hostname, isFedRAMP, icOptions, macroParentHost }) => {
125
133
  const reportUri = tunnelCSPReporterUri || this.getCSPReportUri(microsEnv, icOptions);
126
134
  const defaultSrc = ["'self'", ...getFOSHostDownload(microsEnv, icOptions)].join(' ');
127
135
  const frameAncestors = [
128
136
  "'self'",
129
- ...this.getFrameAncestors(microsEnv, hostname, icOptions, macroParentHostDomain),
137
+ ...this.getFrameAncestors(microsEnv, hostname, icOptions, macroParentHost),
130
138
  ...getFOSHostDownload(microsEnv, icOptions)
131
139
  ].join(' ');
132
140
  const frameSrc = [
@@ -235,6 +243,7 @@ class CSPInjectionService {
235
243
  allowed.push(metalClientCSP);
236
244
  allowed.push(`${getAtlassianHost('ATLASSIAN_API_GATEWAY_HOST', microsEnv, icOptions)}/gateway/api/emoji/`);
237
245
  allowed.push(getAtlassianHost('ATLASSIAN_MEDIA_GATEWAY_HOST', microsEnv, icOptions));
246
+ allowed.push(getAtlassianHost('ATLASSIAN_ANALYTICS_GATEWAY_HOST', microsEnv, icOptions));
238
247
  const fopGeHost = getAtlassianHost('ATLASSIAN_FOP_GE_HOST', microsEnv, icOptions);
239
248
  if (fopGeHost) {
240
249
  allowed.push(fopGeHost);
@@ -243,8 +252,9 @@ class CSPInjectionService {
243
252
  allowed.push(...getFOSHostUpload(microsEnv, icOptions));
244
253
  return allowed;
245
254
  }
246
- getFrameAncestors(microsEnv, hostname, icOptions, macroParentHostDomain) {
255
+ getFrameAncestors(microsEnv, hostname, icOptions, macroParentHost) {
247
256
  let frameAncestors = [];
257
+ const localhostWithPortRegex = /^localhost:\d+$/;
248
258
  switch (microsEnv) {
249
259
  case 'dev':
250
260
  case 'stg':
@@ -256,8 +266,8 @@ class CSPInjectionService {
256
266
  '*.atl-paas.net',
257
267
  '*.stg.atlassian.com'
258
268
  ];
259
- if (macroParentHostDomain) {
260
- frameAncestors.push(`${macroParentHostDomain}.cdn.stg.atlassian-dev.net`);
269
+ if (macroParentHost && !localhostWithPortRegex.test(macroParentHost)) {
270
+ frameAncestors.push(`${macroParentHost}.cdn.stg.atlassian-dev.net`);
261
271
  }
262
272
  break;
263
273
  case 'fedramp-stg':
@@ -281,8 +291,13 @@ class CSPInjectionService {
281
291
  '*.atlassian.com',
282
292
  '*.frontend.public.atl-paas.net'
283
293
  ];
284
- if (macroParentHostDomain) {
285
- frameAncestors.push(`${macroParentHostDomain}.cdn.prod.atlassian-dev.net`);
294
+ if (macroParentHost) {
295
+ if (localhostWithPortRegex.test(macroParentHost)) {
296
+ frameAncestors.push(macroParentHost);
297
+ }
298
+ else {
299
+ frameAncestors.push(`${macroParentHost}.cdn.prod.atlassian-dev.net`);
300
+ }
286
301
  }
287
302
  break;
288
303
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@forge/csp",
3
- "version": "5.4.0",
3
+ "version": "5.5.0-next.1",
4
4
  "description": "Contains the CSP configuration for Custom UI resources in Forge",
5
5
  "main": "out/index.js",
6
6
  "author": "Atlassian",
@@ -11,8 +11,8 @@
11
11
  "clean": "rm -rf ./out && rm -f tsconfig.tsbuildinfo"
12
12
  },
13
13
  "devDependencies": {
14
- "@forge/cli-shared": "8.10.0",
15
- "@forge/manifest": "11.1.0",
14
+ "@forge/cli-shared": "8.11.0-next.4",
15
+ "@forge/manifest": "11.2.0-next.2",
16
16
  "@types/jest": "^29.5.14",
17
17
  "@types/node": "20.19.1",
18
18
  "cheerio": "^1.1.0"