Draft: Add csp-report header in bifrost-starter

theodo-group · Dec 13, 2022 · 34160f6 · 34160f6
1 parent 073fc44
commit 34160f6
Show file tree

Hide file tree

Showing 5 changed files with 19,807 additions and 1 deletion.
diff --git a/examples/bifrost-starter/apps/frontend/components/pages/Login/Login.tsx b/examples/bifrost-starter/apps/frontend/components/pages/Login/Login.tsx
@@ -31,6 +31,10 @@ export const Login: NextPage = () => {
         <h1>
           <FormattedMessage id="login.title" />
         </h1>
+        <img
+          src="https://www.google.com/search/static/gs/animal/cover_images/m07bgp_cover.png"
+          alt="sheep"
+        />
         <form
           className={style.form}
           method="post"

diff --git a/examples/bifrost-starter/apps/frontend/next.config.js b/examples/bifrost-starter/apps/frontend/next.config.js
@@ -1,5 +1,40 @@
 const path = require('path');
 
+// const axios = require('axios');
+
+// const slackToken = 'xoxb-YOUR-TOKEN_HERE';
+// const SLACK_CSP_REPORT_URI =
+//   'https://hooks.slack.com/workflows/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';
+
+// run().catch(err => console.log(err));
+
+// // ,"referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"default-src https://confidentiel.example.net; img-src https://confidentiel.example.net; report-uri https://hooks.slack.com/workflows/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","disposition":"report","blocked-uri":"wasm-eval","line-number":2,"column-number":170590,"source-file":"chrome-extension","status-code":200,"script-sample":""}
+// async function run() {
+//   const cspReport={
+//     "blocked-uri": "eval",
+//     "disposition": "report",
+//     "document-uri": "http://localhost:4242/login",
+//     "effective-directive": "script-src",
+//     "original-policy": "default-src https://confidentiel.example.net; img-src https://confidentiel.example.net; report-uri /api/headers",
+//     "column-number": "26",
+//     "line-number": "1889",
+//     "referrer": "http://localhost:4242/login",
+//     "script-sample": "",
+//     "source-file": "http://localhost:4242/_next/static/chunks/pages/_app.js",
+//     "status-code": "200",
+//     "violated-directive": "script-src"};
+
+//   const result = await fetch(SLACK_CSP_REPORT_URI, {
+//     method: 'POST',
+//     body: JSON.stringify(cspReport),
+//     headers: {
+//       'Content-Type': 'application/json',
+//     },
+//   });
+//   console.log(result)
+// }
+
+
 const securityHeaders = [
   {
     key: 'Strict-Transport-Security',
@@ -24,6 +59,18 @@ const securityHeaders = [
     value:
       'accelerometer=(), geolocation=(), fullscreen =(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=()',
   },
+  {
+    // The goal of the CSP header is to allow only specific sources for each type
+    // As it can block your website, we recommend using CSP-report first before adding CSP
+    key: 'Content-Security-Policy-Report-Only',
+    value: `default-src 'self' http://localhost:* https://confidentiel.example.net; img-src 'self' http://localhost:* https://confidentiel.example.net; report-uri /api/security-headers`,
+  },
+  // {
+  //   // The goal of the CSP header is to allow only specific sources for each type
+  //   // As it can block your website, we recommend using CSP-report first before adding CSP
+  //   key: 'Content-Security-Policy',
+  //   value: `default-src  https://confidentiel.example.net; img-src https://confidentiel.example.net;`,
+  // },
 ];
 
 /** @type {import('next').NextConfig} */