Skip to content

Commit

Permalink
task: added flag to remove unsafe inline style src header (#7566)
Browse files Browse the repository at this point in the history
Our CSP reports that unsafe-inline is not recommended for styleSrc. This
PR adds a flag for making it possible to remove this element of our CSP
headers. It should allow us to see what (if anything) breaks hard.
  • Loading branch information
chriswk authored Jul 10, 2024
1 parent 3fe110f commit 8bee33f
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 10 deletions.
1 change: 1 addition & 0 deletions src/lib/__snapshots__/create-config.test.ts.snap
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,7 @@ exports[`should create default config 1`] = `
"personalAccessTokensKillSwitch": false,
"projectOverviewRefactorFeedback": false,
"queryMissingTokens": false,
"removeUnsafeInlineStyleSrc": false,
"resourceLimits": false,
"responseTimeMetricsFix": false,
"responseTimeWithAppNameKillSwitch": false,
Expand Down
24 changes: 15 additions & 9 deletions src/lib/middleware/secure-headers.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,20 @@ import { hoursToSeconds } from 'date-fns';

const secureHeaders: (config: IUnleashConfig) => RequestHandler = (config) => {
if (config.secureHeaders) {
const includeUnsafeInline = !config.flagResolver.isEnabled(
'removeUnsafeInlineStyleSrc',
);
const styleSrc = ["'self'"];
if (includeUnsafeInline) {
styleSrc.push("'unsafe-inline'");
}
styleSrc.push(
'cdn.getunleash.io',
'fonts.googleapis.com',
'fonts.gstatic.com',
'data:',
...config.additionalCspAllowedDomains.styleSrc,
);
const defaultHelmet = helmet({
hsts: {
maxAge: hoursToSeconds(24 * 365 * 2), // 2 non-leap years
Expand All @@ -26,15 +40,7 @@ const secureHeaders: (config: IUnleashConfig) => RequestHandler = (config) => {
'fonts.gstatic.com',
...config.additionalCspAllowedDomains.fontSrc,
],
styleSrc: [
"'self'",
"'unsafe-inline'",
'cdn.getunleash.io',
'fonts.googleapis.com',
'fonts.gstatic.com',
'data:',
...config.additionalCspAllowedDomains.styleSrc,
],
styleSrc,
scriptSrc: [
"'self'",
'cdn.getunleash.io',
Expand Down
7 changes: 6 additions & 1 deletion src/lib/types/experimental.ts
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,8 @@ export type IFlagKey =
| 'resourceLimits'
| 'extendedMetrics'
| 'cleanApiTokenWhenOrphaned'
| 'allowOrphanedWildcardTokens';
| 'allowOrphanedWildcardTokens'
| 'removeUnsafeInlineStyleSrc';

export type IFlags = Partial<{ [key in IFlagKey]: boolean | Variant }>;

Expand Down Expand Up @@ -314,6 +315,10 @@ const flags: IFlags = {
process.env.UNLEASH_EXPERIMENTAL_CLEAN_API_TOKEN_WHEN_ORPHANED,
false,
),
removeUnsafeInlineStyleSrc: parseEnvVarBoolean(
process.env.UNLEASH_EXPERIMENTAL_REMOVE_UNSAFE_INLINE_STYLE_SRC,
false,
),
};

export const defaultExperimentalOptions: IExperimentalOptions = {
Expand Down

0 comments on commit 8bee33f

Please sign in to comment.