eddev 2.0.0-beta.146 → 2.0.0-beta.148

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/app/server/utils/content-security.d.ts.map +1 -1
  2. package/dist/app/server/utils/content-security.js +3 -14
  3. package/package.json +1 -1
package/dist/app/server/utils/content-security.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"content-security.d.ts","sourceRoot":"","sources":["../../../../src/app/server/utils/content-security.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAA;AAC5D,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAG7D,QAAA,MAAM,QAAQ,kXAyBJ,CAAA;AAEV,MAAM,MAAM,MAAM,GAAG,CAAC,OAAO,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAA;AAE9C,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAA;AAEnD,MAAM,MAAM,mCAAmC,GAAG;IAChD,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,YAAY,EAAE,CAAA;CACrB,CAAA;AAED,qBAAa,mBAAmB;IAC9B,SAAS,CAAC,GAAG,EAAE,SAAS,CAAA;IACxB,SAAS,CAAC,OAAO,EAAE,OAAO,CAAgB;IAE1C,OAAO,CAAC,UAAU,CAAQ;IAC1B,OAAO,CAAC,oBAAoB,CAAO;IACnC,OAAO,CAAC,QAAQ,CAAQ;IACxB,OAAO,CAAC,gBAAgB,CAAe;IAEvC,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,CAAA;gBAEtB,MAAM,EAAE,QAAQ;IAgC5B,eAAe,CAAC,IAAI,EAAE,WAAW,GAAG,WAAW;IAmB/C,WAAW,CAAC,IAAI,EAAE,YAAY,EAAE;IAkBhC,UAAU,IAAI,OAAO;IAWrB,iBAAiB,IAAI,MAAM,GAAG,SAAS;CAgBxC"}
1
+ {"version":3,"file":"content-security.d.ts","sourceRoot":"","sources":["../../../../src/app/server/utils/content-security.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAA;AAC5D,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAG7D,QAAA,MAAM,QAAQ,kXAyBJ,CAAA;AAEV,MAAM,MAAM,MAAM,GAAG,CAAC,OAAO,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAA;AAE9C,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAA;AAEnD,MAAM,MAAM,mCAAmC,GAAG;IAChD,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,YAAY,EAAE,CAAA;CACrB,CAAA;AAED,qBAAa,mBAAmB;IAC9B,SAAS,CAAC,GAAG,EAAE,SAAS,CAAA;IACxB,SAAS,CAAC,OAAO,EAAE,OAAO,CAAgB;IAE1C,OAAO,CAAC,UAAU,CAAQ;IAC1B,OAAO,CAAC,oBAAoB,CAAO;IACnC,OAAO,CAAC,QAAQ,CAAQ;IACxB,OAAO,CAAC,gBAAgB,CAAe;IAEvC,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,CAAA;gBAEtB,MAAM,EAAE,QAAQ;IAgC5B,eAAe,CAAC,IAAI,EAAE,WAAW,GAAG,WAAW;IAkB/C,WAAW,CAAC,IAAI,EAAE,YAAY,EAAE;IAkBhC,UAAU,IAAI,OAAO;IAWrB,iBAAiB,IAAI,MAAM,GAAG,SAAS;CAexC"}
package/dist/app/server/utils/content-security.js CHANGED
@@ -50,15 +50,15 @@ export class SecureHeaderBuilder {
50
50
  if (this.commonCspOrigins.length) {
51
51
  defaults.push(...this.commonCspOrigins);
52
52
  }
53
- if (this.useNonce) {
54
- defaults.push(`'nonce-${this.nonce}'`);
55
- }
56
53
  if (config.serverless.csp.values) {
57
54
  const value = config.serverless.csp.values[key];
58
55
  if (value) {
59
56
  defaults.push(...value);
60
57
  }
61
58
  }
59
+ if (this.useNonce && !defaults.includes("'unsafe-inline'")) {
60
+ defaults.push(`'nonce-${this.nonce}'`);
61
+ }
62
62
  }
63
63
  this.csp[key] = new Set(defaults);
64
64
  }
@@ -66,7 +66,6 @@ export class SecureHeaderBuilder {
66
66
  addTrackingTags(tags) {
67
67
  if (!this.autodetectCspOrigins || !this.cspEnabled)
68
68
  return tags;
69
- console.log("CSP tracking", tags);
70
69
  const handle = (value) => {
71
70
  if (value) {
72
71
  return value.replaceAll(/<(script|style)/g, (tag) => {
@@ -116,7 +115,6 @@ export class SecureHeaderBuilder {
116
115
  }
117
116
  }
118
117
  if (directives.length) {
119
- console.log("CSP directives", directives);
120
118
  return buildCsp({
121
119
  directives: Object.fromEntries(directives),
122
120
  });
@@ -124,12 +122,3 @@ export class SecureHeaderBuilder {
124
122
  return undefined;
125
123
  }
126
124
  }
127
- // default-src 'self' vercel.com *.vercel.com *.vercel.sh vercel.live *.stripe.com twitter.com *.twitter.com *.github.com *.codesandbox.io https://risk.clearbit.com wss://*.vercel.com localhost:* chrome-extension://*
128
- // script-src 'self' 'unsafe-eval' 'unsafe-inline' www.google.com www.google-analytics.com www.googleadservices.com www.gstatic.com *.youtube.com *.youtube-nocookie.com *.ytimg.com *.twimg.com cdn.ampproject.org www.googletagmanager.com *.googleapis.com *.heapanalytics.com heapanalytics.com *.fides-cdn.ethyca.com *.ethyca.com cdn.ethyca.com cdn.vercel-insights.com va.vercel-scripts.com vercel.com *.vercel.com *.vercel.sh vercel.live *.stripe.com twitter.com *.twitter.com *.github.com *.codesandbox.io https://risk.clearbit.com wss://*.vercel.com localhost:* chrome-extension://*
129
- // child-src *.youtube.com *.youtube-nocookie.com *.stripe.com www.google.com td.doubleclick.net github.com calendly.com *.vusercontent.net vercel.com *.vercel.com *.vercel.sh vercel.live *.stripe.com twitter.com *.twitter.com *.github.com *.codesandbox.io https://risk.clearbit.com wss://*.vercel.com localhost:* chrome-extension://*
130
- // style-src 'self' 'unsafe-inline' *.googleapis.com heapanalytics.com vercel.com *.vercel.com *.vercel.sh vercel.live *.stripe.com twitter.com *.twitter.com *.github.com *.codesandbox.io https://risk.clearbit.com wss://*.vercel.com localhost:* chrome-extension://*
131
- // img-src * blob: data:
132
- // media-src 'self' videos.ctfassets.net user-images.githubusercontent.com replicate.delivery blob: data: vercel.com *.vercel.com *.vercel.sh vercel.live *.stripe.com twitter.com *.twitter.com *.github.com *.codesandbox.io https://risk.clearbit.com wss://*.vercel.com localhost:* chrome-extension://*
133
- // connect-src wss://ws-us3.pusher.com data: *
134
- // font-src 'self' *.vercel.com *.gstatic.com vercel.live
135
- // worker-src 'self' *.vercel.com blob:
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "eddev",
3
- "version": "2.0.0-beta.146",
3
+ "version": "2.0.0-beta.148",
4
4
  "description": "",
5
5
  "main": "index.js",
6
6
  "type": "module",