From 6eb75e09d005b90f666b06c9ef397b0b2abe9c94 Mon Sep 17 00:00:00 2001
From: Curt Tudor <curt@rentallect.com>
Date: Tue, 6 Aug 2024 10:31:30 -0600
Subject: [PATCH] fix: add controller to 'CSP connect-src' if present (#217)

---
 src/ZitiFirstStrategy.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/ZitiFirstStrategy.ts b/src/ZitiFirstStrategy.ts
index 5d925b5..0db7b95 100644
--- a/src/ZitiFirstStrategy.ts
+++ b/src/ZitiFirstStrategy.ts
@@ -180,6 +180,11 @@ class ZitiFirstStrategy extends CacheFirst /* NetworkFirst */ {
     let origCSP = this.parseCSP(val);
     this.logger.trace( `generateNewCSP() origCSP: `, origCSP);
 
+    let idpURL = new URL(this._zitiBrowzerServiceWorkerGlobalScope._zitiConfig.idp.host);
+    let idpHost = idpURL.host;
+    let controllerURL = new URL(this._zitiBrowzerServiceWorkerGlobalScope._zitiConfig.controller.api);
+    let controllerHost = controllerURL.host;
+
     if (origCSP['default-src']) {
       origCSP['default-src'].push(`https://*.netfoundry.io:*`);
       origCSP['default-src'].push(`https://*.cloudziti.io`);
@@ -203,10 +208,13 @@ class ZitiFirstStrategy extends CacheFirst /* NetworkFirst */ {
     }
 
     if (origCSP['connect-src']) {
-      origCSP['connect-src'].push(`${this._zitiBrowzerServiceWorkerGlobalScope._zitiConfig.idp.host}`);
+      origCSP['connect-src'].push(`${idpHost}`);
+      origCSP['connect-src'].push(`${this._zitiBrowzerServiceWorkerGlobalScope._zitiConfig.browzer.bootstrapper.self.host}`);
+      origCSP['connect-src'].push(`${controllerHost}`);
       origCSP['connect-src'].push(`https://*.netfoundry.io:*`);
       origCSP['connect-src'].push(`https://*.cloudziti.io`);
       origCSP['connect-src'].push(`wss://*.netfoundry.io:*`);
+      origCSP['connect-src'].push(`wss://localhost:*`);
       if (!origCSP['connect-src'].includes("data:")) {
         origCSP['connect-src'].push("data:");
       }