[VULN-598] [2WI-027] Weakened CSP

rsksmart · Jan 15, 2025 · 1d1f09f · 1d1f09f
1 parent a524913
commit 1d1f09f
Show file tree

Hide file tree

Showing 8 changed files with 22 additions and 13 deletions.
diff --git a/.env.local.test b/.env.local.test
@@ -30,3 +30,4 @@ NODE_ENV=test
 VUE_APP_FLYOVER_PEGOUT_QUOTE_DIFF_PERCENTAGE=2
 VUE_APP_RECAPTCHA_NEW_TOKEN_TIME=30
 VUE_APP_FLYOVER_PROVIDER_ID=2
+VUE_APP_CSP=https://staging.lps.tekscapital.com
diff --git a/.github/workflows/deploy_MainNet_UI.yml b/.github/workflows/deploy_MainNet_UI.yml
@@ -56,6 +56,7 @@ jobs:
           VUE_APP_FLYOVER_PEGOUT_QUOTE_DIFF_PERCENTAGE=2
           VUE_APP_RECAPTCHA_NEW_TOKEN_TIME=30
           VUE_APP_FLYOVER_PROVIDER_ID=2
+          VUE_APP_CSP=https://lps.tekscapital.com
           npm run-script build
 
       - name: Configure AWS credentials

diff --git a/.github/workflows/deploy_TestNet_UI.yml b/.github/workflows/deploy_TestNet_UI.yml
@@ -56,6 +56,7 @@ jobs:
           VUE_APP_FLYOVER_PEGOUT_QUOTE_DIFF_PERCENTAGE=2
           VUE_APP_RECAPTCHA_NEW_TOKEN_TIME=30
           VUE_APP_FLYOVER_PROVIDER_ID=2
+          VUE_APP_CSP=https://staging.lps.tekscapital.com
           npm run-script build
 
       - name: Configure AWS credentials

diff --git a/.github/workflows/deploy_staging_MainNet_UI.yml b/.github/workflows/deploy_staging_MainNet_UI.yml
@@ -56,6 +56,7 @@ jobs:
           VUE_APP_FLYOVER_PEGOUT_QUOTE_DIFF_PERCENTAGE=2
           VUE_APP_RECAPTCHA_NEW_TOKEN_TIME=30
           VUE_APP_FLYOVER_PROVIDER_ID=2
+          VUE_APP_CSP=https://lps.tekscapital.com
           npm run-script build
 
       - name: Configure AWS credentials

diff --git a/.github/workflows/deploy_staging_TestNet_UI.yml b/.github/workflows/deploy_staging_TestNet_UI.yml
@@ -56,6 +56,7 @@ jobs:
           VUE_APP_FLYOVER_PEGOUT_QUOTE_DIFF_PERCENTAGE=20
           VUE_APP_RECAPTCHA_NEW_TOKEN_TIME=30
           VUE_APP_FLYOVER_PROVIDER_ID=2
+          VUE_APP_CSP=https://staging.lps.tekscapital.com
           npm run-script build
 
       - name: Configure AWS credentials

diff --git a/src/App.vue b/src/App.vue
@@ -48,7 +48,7 @@ export default {
       script-src 'self' 'nonce-${vuetifyNonce}' 'unsafe-eval';
       script-src-elem 'self' 'unsafe-inline' https://script.hotjar.com https://www.clarity.ms/s/* https://static.hotjar.com https://*.hotjar.com https://*.hotjar.io https://api.coingecko.com/ https://*.clarity.ms https://www.clarity.ms/ https://www.gstatic.com/ https://www.google.com/recaptcha/;
       img-src data: https:;
-      connect-src 'self' 'unsafe-inline' https://www.clarity.ms/s/0.7.16/clarity.js wss://* https://*.hotjar.com https://*.hotjar.io https://www.clarity.ms/s/* wss://*.hotjar.com ${envVariables.vueAppApiBaseUrl} ${envVariables.vueAppRskNodeHost} https://lps.tekscapital.com https://testnet.lps.tekscapital.com https://staging.lps.tekscapital.com https://api.coingecko.com/* https://*.clarity.ms https://www.clarity.ms/* ;
+      connect-src 'self' 'unsafe-inline' https://www.clarity.ms/s/0.7.16/clarity.js wss://* https://*.hotjar.com https://*.hotjar.io https://www.clarity.ms/s/* wss://*.hotjar.com ${envVariables.vueAppApiBaseUrl} ${envVariables.vueAppRskNodeHost} ${envVariables.cspConfiguration} https://api.coingecko.com/* https://*.clarity.ms https://www.clarity.ms/* ;
       object-src 'none';
       frame-src https://connect.trezor.io https://www.google.com/;
       worker-src 'none';

diff --git a/src/common/types/environment-variables.ts b/src/common/types/environment-variables.ts
@@ -28,18 +28,6 @@ export class EnvironmentVariables {
 
   public debugMode: boolean;
 
-  public minFeeSatPerByte: {
-    fast: number;
-    average: number;
-    slow: number;
-  };
-
-  public miningSpeedBlock: {
-    fast: number;
-    average: number;
-    slow: number;
-  };
-
   public burnDustValue: number;
 
   public lbcAddress: string;
@@ -54,6 +42,20 @@ export class EnvironmentVariables {
 
   public flyoverProviderId: number;
 
+  public cspConfiguration: string;
+
+  public minFeeSatPerByte: {
+    fast: number;
+    average: number;
+    slow: number;
+  };
+
+  public miningSpeedBlock: {
+    fast: number;
+    average: number;
+    slow: number;
+  };
+
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   constructor(defaultValues: any = {}) {
     this.vueAppCoin = process.env.VUE_APP_COIN || defaultValues.vueAppCoin;
@@ -104,6 +106,7 @@ export class EnvironmentVariables {
       || defaultValues.grecaptchaTime;
     this.flyoverProviderId = Number(process.env.VUE_APP_FLYOVER_PROVIDER_ID)
       || defaultValues.flyoverProviderId;
+    this.cspConfiguration = process.env.VUE_APP_CSP || defaultValues.cspConfiguration;
   }
 
   public get chainId(): number {

diff --git a/src/main.ts b/src/main.ts
@@ -34,6 +34,7 @@ const defaultEnvironmentVariables = {
   flyoverPegoutDiffPercentage: 2,
   flyoverProviderId: 2,
   grecaptchaTime: constants.RECAPTCHA_NEW_TOKEN_TIME,
+  cspConfiguration: 'https://testnet.lps.tekscapital.com https://staging.lps.tekscapital.com',
 };
 
 EnvironmentAccessorService.initializeEnvironmentVariables(defaultEnvironmentVariables);