From fd90f4e58bba1b9a8ab7f8f41adbfc4f555961fb Mon Sep 17 00:00:00 2001 From: Sulka Haro Date: Thu, 20 Aug 2020 17:15:29 +0300 Subject: [PATCH] CSP and service worker improvements (#5856) * Add connectSrc for Safari compatibiity * Add new font URL for Google Fonts compatibility * Reload on re-registering the worker * Change Mongo version in github to fix builds --- .github/workflows/main.yml | 6 +++--- app.js | 21 +++++++++++---------- views/index.html | 4 ++++ 3 files changed, 18 insertions(+), 13 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2492267d916..e661a61ab7b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -21,11 +21,11 @@ jobs: run: npm install - name: Install MongoDB run: | - wget -qO - https://www.mongodb.org/static/pgp/server-3.6.asc | sudo apt-key add - - echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.6.list + wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add - + echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/4.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list sudo apt-get update sudo apt-get install -y mongodb-org - sudo apt-get install -y --allow-downgrades mongodb-org=3.6.14 mongodb-org-server=3.6.14 mongodb-org-shell=3.6.14 mongodb-org-mongos=3.6.14 mongodb-org-tools=3.6.14 + sudo apt-get install -y --allow-downgrades mongodb-org=4.4.0 mongodb-org-server=4.4.0 mongodb-org-shell=4.4.0 mongodb-org-mongos=4.4.0 mongodb-org-tools=4.4.0 - name: Start MongoDB run: sudo systemctl start mongod - name: Run Tests diff --git a/app.js b/app.js index a17549bc7d5..61d16c2ec6f 100644 --- a/app.js +++ b/app.js @@ -48,15 +48,16 @@ function create (env, ctx) { app.use(helmet.contentSecurityPolicy({ //TODO make NS work without 'unsafe-inline' directives: { defaultSrc: ["'self'"] - , styleSrc: ["'self'", 'https://fonts.googleapis.com/', "'unsafe-inline'"] + , styleSrc: ["'self'", 'https://fonts.googleapis.com/', 'https://fonts.gstatic.com/', "'unsafe-inline'"] , scriptSrc: ["'self'", "'unsafe-inline'"] - , fontSrc: ["'self'", 'https://fonts.gstatic.com/', 'data:'] + , fontSrc: ["'self'", 'https://fonts.googleapis.com/', 'https://fonts.gstatic.com/', 'data:'] , imgSrc: ["'self'", 'data:'] - , objectSrc: ["'none'"], // Restricts , , and elements - reportUri: '/report-violation' - , frameAncestors: ["'none'"], // Clickjacking protection, using frame-ancestors - baseUri: ["'none'"], // Restricts use of the tag - formAction: ["'self'"], // Restricts where
contents may be submitted + , objectSrc: ["'none'"] // Restricts , , and elements + , reportUri: '/report-violation' + , frameAncestors: ["'none'"] // Clickjacking protection, using frame-ancestors + , baseUri: ["'none'"] // Restricts use of the tag + , formAction: ["'self'"] // Restricts where contents may be submitted + , connectSrc: ["'self'", "ws:", "wss:", 'https://fonts.googleapis.com/', 'https://fonts.gstatic.com/'] } , reportOnly: secureCspReportOnly })); @@ -64,11 +65,11 @@ function create (env, ctx) { app.use(bodyParser.json({ type: ['json', 'application/csp-report'] })); app.post('/report-violation', (req, res) => { if (req.body) { - console.log('CSP Violation: ', req.body) + console.log('CSP Violation: ', req.body); } else { - console.log('CSP Violation: No data received!') + console.log('CSP Violation: No data received!'); } - res.status(204).end() + res.status(204).end(); }) } } diff --git a/views/index.html b/views/index.html index 2eed4c4bbd9..1adb2f50e81 100644 --- a/views/index.html +++ b/views/index.html @@ -729,9 +729,13 @@ console.log('Service worker registered'); reg.addEventListener('updatefound', () => { console.log('Service worker update detected'); + reg.update(); const newWorker = reg.installing; newWorker.addEventListener('statechange', (state) => { console.log('New worker state change', state); + //reg.unregister().then(function() { + window.location.reload(true); + // }); }); }); }).catch(function(error) {