Merge pull request #3121 from FlowFuse/fix-csp-again

Fix blob and add more Hubspot domains
FlowFuse · Nov 29, 2023 · 579f14a · 579f14a
2 parents dcc3b7c + 6e24fd0
commit 579f14a
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 1 deletion.
diff --git a/forge/ee/routes/deviceEditor/index.js b/forge/ee/routes/deviceEditor/index.js
@@ -235,6 +235,7 @@ module.exports = async function (app) {
                 }
             }
         },
+        helmet: false,
         handler: (request, reply) => {
             // Handle HTTP GET requests from the device
             const tunnelManager = getTunnelManager()
@@ -287,6 +288,7 @@ module.exports = async function (app) {
                 }
             }
         },
+        helmet: false,
         handler: (request, reply) => {
             const tunnelManager = getTunnelManager()
             if (tunnelManager.handleHTTP(request.params.deviceId, request, reply)) {

diff --git a/forge/forge.js b/forge/forge.js
@@ -162,7 +162,7 @@ module.exports = async (options = {}) => {
                         'base-uri': ["'self'"],
                         'default-src': ["'self'"],
                         'script-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
-                        'worker-src': ["'self'", 'blob'],
+                        'worker-src': ["'self'", 'blob:'],
                         'connect-src': ["'self'"],
                         'img-src': ["'self'", 'data:', 'www.gravatar.com'],
                         'font-src': ["'self'"],
@@ -227,6 +227,34 @@ module.exports = async (options = {}) => {
                 } else {
                     contentSecurityPolicy.directives['script-src'] = hubspotDomains
                 }
+                const hubspotImageDomains = [
+                    'forms-eu1.hsforms.com',
+                    'track-eu1.hubspot.com',
+                    'perf-eu1.hsforms.com'
+                ]
+                if (contentSecurityPolicy.directives['img-src'] && Array.isArray(contentSecurityPolicy.directives['img-src'])) {
+                    contentSecurityPolicy.directives['img-src'].push(...hubspotImageDomains)
+                } else {
+                    contentSecurityPolicy.directives['img-src'] = hubspotImageDomains
+                }
+                const hubspotConnectDomains = [
+                    'api-eu1.hubspot.com',
+                    'cta-eu1.hubspot.com',
+                    'forms-eu1.hscollectedforms.net'
+                ]
+                if (contentSecurityPolicy.directives['connect-src'] && Array.isArray(contentSecurityPolicy.directives['connect-src'])) {
+                    contentSecurityPolicy.directives['connect-src'].push(...hubspotConnectDomains)
+                } else {
+                    contentSecurityPolicy.directives['connect-src'] = hubspotConnectDomains
+                }
+                const hubspotFrameDomains = [
+                    'app-eu1.hubspot.com'
+                ]
+                if (contentSecurityPolicy.directives['frame-src'] && Array.isArray(contentSecurityPolicy.directives['frame-src'])) {
+                    contentSecurityPolicy.directives['frame-src'].push(...hubspotFrameDomains)
+                } else {
+                    contentSecurityPolicy.directives['frame-src'] = hubspotFrameDomains
+                }
             }
         }
 

diff --git a/test/unit/forge/configuration/http_security_spec.js b/test/unit/forge/configuration/http_security_spec.js
@@ -197,6 +197,40 @@ describe('Check HTTP Security Headers set', async () => {
             const csp = response.headers['content-security-policy']
             csp.split(';').should.containEql('script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' app.posthog.com js-eu1.hs-analytics.com js-eu1.hs-banner.com js-eu1.hs-scripts.com js-eu1.hscollectedforms.net js-eu1.hubspot.com js-eu1.usemessages.com')
         })
+        it('CSP should be enabled with hubspot and posthog empty directive', async function () {
+            const config = {
+                support: {
+                    enabled: true,
+                    frontend: {
+                        hubspot: {
+                            trackingcode: 'abcde1234'
+                        }
+                    }
+                },
+                telemetry: {
+                    frontend: {
+                        posthog: {
+                            apikey: 'abcde1234'
+                        }
+                    }
+                },
+                content_security_policy: {
+                    enabled: true,
+                    directives: {}
+                }
+            }
+            app = await FF_UTIL.setupApp(config)
+            const response = await app.inject({
+                method: 'GET',
+                url: '/'
+            })
+
+            const headers = response.headers
+            headers.should.have.property('content-security-policy')
+            const csp = response.headers['content-security-policy']
+            csp.split(';').should.containEql('script-src app.posthog.com js-eu1.hs-analytics.com js-eu1.hs-banner.com js-eu1.hs-scripts.com js-eu1.hscollectedforms.net js-eu1.hubspot.com js-eu1.usemessages.com',
+                'connect-src app.posthog.com api-eu1.hubspot.com cta-eu1.hubspot.com forms-eu1.hscollectedforms.net')
+        })
         it('CSP with sentry.io', async function () {
             const config = {
                 telemetry: {